Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: Martin Schulze (joeyat_private)
Date: Thu Aug 19 1999 - 07:23:31 PDT

Next message: Kenn Humborg: "Re: Win32 File Naming (again)"

Previous message: sk8: "local libtermcap exploit"
Maybe in reply to: Bill Nottingham: "[RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Next in thread: Martin Schulze: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michal Zalewski wrote:
> Well, as this vunerability become well-known, I have nothing to loose,
> enjoy: most of terminfo-based programs will accept TERM variable set to
> eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> file', set TERM, then execute vunerable program w/terminfo support. In
> fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> other recent distributions based on terminfo entries/, is vunerable... And
> TERM variable can be passed using telnet ENVIRON option during protocol
> negotiation before login procedure... Guess what?;) Almost remote root
> (well, all you have to do locally is puting /tmp/x).

Are you referring to terminfo or termcap?  They are designed differently,
refer to different files and use different code.

Regards,

	Joey

--
GNU does not eliminate all the world's problems, only some of them.
                                                -- The GNU Manifesto

Next message: Kenn Humborg: "Re: Win32 File Naming (again)"
Previous message: sk8: "local libtermcap exploit"
Maybe in reply to: Bill Nottingham: "[RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Next in thread: Martin Schulze: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:26 PDT