[11454] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Martin Schulze)
Sat Aug 21 02:53:43 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990819162331.C28824@finlandia.infodrom.north.de>
Date: Thu, 19 Aug 1999 16:23:31 +0200
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9907040046040.500-100000@nimue.ids.pl>; from Michal
Zalewski on Sun, Jul 04, 1999 at 12:55:09AM +0200
Michal Zalewski wrote:
> Well, as this vunerability become well-known, I have nothing to loose,
> enjoy: most of terminfo-based programs will accept TERM variable set to
> eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> file', set TERM, then execute vunerable program w/terminfo support. In
> fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> other recent distributions based on terminfo entries/, is vunerable... And
> TERM variable can be passed using telnet ENVIRON option during protocol
> negotiation before login procedure... Guess what?;) Almost remote root
> (well, all you have to do locally is puting /tmp/x).
Are you referring to terminfo or termcap? They are designed differently,
refer to different files and use different code.
Regards,
Joey
--
GNU does not eliminate all the world's problems, only some of them.
-- The GNU Manifesto
