On Sun, 4 Jul 1999, Michal Zalewski wrote: > Well, as this vunerability become well-known, I have nothing to loose, > enjoy: most of terminfo-based programs will accept TERM variable set to > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap > file', set TERM, then execute vunerable program w/terminfo support. In > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many > other recent distributions based on terminfo entries/, is vunerable... And That's nothing new, I pointed that out on Bugtraq nearly 2 years ago in November 1997. In fact, that's the same example I used (../../../tmp/x). On my test system at the time (Slackware), longer pathnames would be chopped off at the end. In general, I consider it dangerous for a program running with elevated privileges to trust a user-supplied terminfo/termcap file. Last year I found a buffer overflow in ncurses and OpenBSD was changed to not trust user-supplied term files when the invoked program is setuid/setgid. A reasonable precaution; too much could go wrong otherwise. I also discovered a divide-by-zero bug (again, tickled only by a malformed terminfo file), which isn't as serious, but could be used to crash some programs, etc. This was also reported and fixed... . : Aaron Campbell <aaronat_private> - [ http://www.biodome.org/~fx ] `-------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:32 PDT