Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()

From: Tymm Twillman (tymmat_private)
Date: Thu Aug 19 1999 - 11:08:30 PDT

Next message: Larry W. Cashdollar: "OCE' 9400 plotters"

Previous message: Aaron Campbell: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Maybe in reply to: Bill Nottingham: "[RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Next in thread: Tymm Twillman: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There was some discussion of this on the linux-security list.  Redhat 6.0
has in.telnetd linked with libncurses, *NOT* libtermcap:

$ ldd /usr/sbin/in.telnetd
	libncurses.so.4 => /usr/lib/libncurses.so.4 (0x40019000)
	libutil.so.1 => /lib/libutil.so.1 (0x40056000)
	libc.so.6 => /lib/libc.so.6 (0x40059000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

ncurses ignores the buffer parameter to tgetent() that is usable for
exploits.

Note that this doesn't mean everything is safe; there are still
exploitable programs linked with libtermcap.  But in.telnetd as delivered
with RH6.0 is fine in this respect.

-Tymm

On Sun, 4 Jul 1999, Michal Zalewski wrote:

> On Tue, 17 Aug 1999, Bill Nottingham wrote:
>
> > A buffer overflow existed in libtermcap's tgetent() function,
> > which could cause the user to execute arbitrary code if they
> > were able to supply their own termcap file.
> >
> > Under Red Hat Linux 5.2 and 4.2, this could lead to local users
> > gaining root privileges, as xterm (as well as other possibly
> > setuid programs) are linked against libtermcap. Under Red Hat
> > Linux 6.0, xterm is not setuid root.
> >
> > Thanks go to Kevin Vajk and the Linux Security Audit team for
> > noting and providing a fix for this vulnerability.
>
> So, here I am.
>
> Well, as this vunerability become well-known, I have nothing to loose,
> enjoy: most of terminfo-based programs will accept TERM variable set to
> eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> file', set TERM, then execute vunerable program w/terminfo support. In
> fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> other recent distributions based on terminfo entries/, is vunerable... And
> TERM variable can be passed using telnet ENVIRON option during protocol
> negotiation before login procedure... Guess what?;) Almost remote root
> (well, all you have to do locally is puting /tmp/x).
>
> _______________________________________________________________________
> Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM]
> [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
> [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
> Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
>

Next message: Larry W. Cashdollar: "OCE' 9400 plotters"
Previous message: Aaron Campbell: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Maybe in reply to: Bill Nottingham: "[RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Next in thread: Tymm Twillman: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:33 PDT