There was some discussion of this on the linux-security list. Redhat 6.0 has in.telnetd linked with libncurses, *NOT* libtermcap: $ ldd /usr/sbin/in.telnetd libncurses.so.4 => /usr/lib/libncurses.so.4 (0x40019000) libutil.so.1 => /lib/libutil.so.1 (0x40056000) libc.so.6 => /lib/libc.so.6 (0x40059000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) ncurses ignores the buffer parameter to tgetent() that is usable for exploits. Note that this doesn't mean everything is safe; there are still exploitable programs linked with libtermcap. But in.telnetd as delivered with RH6.0 is fine in this respect. -Tymm On Sun, 4 Jul 1999, Michal Zalewski wrote: > On Tue, 17 Aug 1999, Bill Nottingham wrote: > > > A buffer overflow existed in libtermcap's tgetent() function, > > which could cause the user to execute arbitrary code if they > > were able to supply their own termcap file. > > > > Under Red Hat Linux 5.2 and 4.2, this could lead to local users > > gaining root privileges, as xterm (as well as other possibly > > setuid programs) are linked against libtermcap. Under Red Hat > > Linux 6.0, xterm is not setuid root. > > > > Thanks go to Kevin Vajk and the Linux Security Audit team for > > noting and providing a fix for this vulnerability. > > So, here I am. > > Well, as this vunerability become well-known, I have nothing to loose, > enjoy: most of terminfo-based programs will accept TERM variable set to > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap > file', set TERM, then execute vunerable program w/terminfo support. In > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many > other recent distributions based on terminfo entries/, is vunerable... And > TERM variable can be passed using telnet ENVIRON option during protocol > negotiation before login procedure... Guess what?;) Almost remote root > (well, all you have to do locally is puting /tmp/x). > > _______________________________________________________________________ > Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] > [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: > [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] > Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:33 PDT