[11423] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Aug 19 10:13:53 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <lcamtuf.4.05.9907040046040.500-100000@nimue.ids.pl>
Date: Sun, 4 Jul 1999 00:55:09 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To: Bill Nottingham <notting@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990817120442.A2787@bobby.devel.redhat.com>
On Tue, 17 Aug 1999, Bill Nottingham wrote:
> A buffer overflow existed in libtermcap's tgetent() function,
> which could cause the user to execute arbitrary code if they
> were able to supply their own termcap file.
>
> Under Red Hat Linux 5.2 and 4.2, this could lead to local users
> gaining root privileges, as xterm (as well as other possibly
> setuid programs) are linked against libtermcap. Under Red Hat
> Linux 6.0, xterm is not setuid root.
>
> Thanks go to Kevin Vajk and the Linux Security Audit team for
> noting and providing a fix for this vulnerability.
So, here I am.
Well, as this vunerability become well-known, I have nothing to loose,
enjoy: most of terminfo-based programs will accept TERM variable set to
eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
file', set TERM, then execute vunerable program w/terminfo support. In
fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
other recent distributions based on terminfo entries/, is vunerable... And
TERM variable can be passed using telnet ENVIRON option during protocol
negotiation before login procedure... Guess what?;) Almost remote root
(well, all you have to do locally is puting /tmp/x).
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
