On Sun, 4 Jul 1999, Michal Zalewski wrote: > [...] most of terminfo-based programs will accept TERM variable set to > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap > file', set TERM, then execute vunerable program w/terminfo support. In > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many > other recent distributions based on terminfo entries/, is vunerable... Oh, haven't said, for clearance... I'm talking about terminfo support and tgetent() function implemented in libncurses, which is buggy as well, while ncurses allows '../' tricks. _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:03 PDT