On Tue, 17 Aug 1999, Bill Nottingham wrote: > A buffer overflow existed in libtermcap's tgetent() function, > which could cause the user to execute arbitrary code if they > were able to supply their own termcap file. > > Under Red Hat Linux 5.2 and 4.2, this could lead to local users > gaining root privileges, as xterm (as well as other possibly > setuid programs) are linked against libtermcap. Under Red Hat > Linux 6.0, xterm is not setuid root. > > Thanks go to Kevin Vajk and the Linux Security Audit team for > noting and providing a fix for this vulnerability. So, here I am. Well, as this vunerability become well-known, I have nothing to loose, enjoy: most of terminfo-based programs will accept TERM variable set to eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap file', set TERM, then execute vunerable program w/terminfo support. In fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many other recent distributions based on terminfo entries/, is vunerable... And TERM variable can be passed using telnet ENVIRON option during protocol negotiation before login procedure... Guess what?;) Almost remote root (well, all you have to do locally is puting /tmp/x). _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:58 PDT