Michal Zalewski wrote: > Well, as this vunerability become well-known, I have nothing to loose, > enjoy: most of terminfo-based programs will accept TERM variable set to > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap > file', set TERM, then execute vunerable program w/terminfo support. In > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many > other recent distributions based on terminfo entries/, is vunerable... And > TERM variable can be passed using telnet ENVIRON option during protocol > negotiation before login procedure... Guess what?;) Almost remote root > (well, all you have to do locally is puting /tmp/x). Are you referring to terminfo or termcap? They are designed differently, refer to different files and use different code. Regards, Joey -- GNU does not eliminate all the world's problems, only some of them. -- The GNU Manifesto
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:26 PDT