[11477] in bugtraq
Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()
daemon@ATHENA.MIT.EDU (Tymm Twillman)
Sat Aug 21 21:12:38 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SGI.4.05.9908191301400.309615-100000@tiger.coe.missouri.edu>
Date: Thu, 19 Aug 1999 13:08:30 -0500
Reply-To: Tymm Twillman <tymm@COE.MISSOURI.EDU>
From: Tymm Twillman <tymm@COE.MISSOURI.EDU>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9907040046040.500-100000@nimue.ids.pl>
There was some discussion of this on the linux-security list. Redhat 6.0
has in.telnetd linked with libncurses, *NOT* libtermcap:
$ ldd /usr/sbin/in.telnetd
libncurses.so.4 => /usr/lib/libncurses.so.4 (0x40019000)
libutil.so.1 => /lib/libutil.so.1 (0x40056000)
libc.so.6 => /lib/libc.so.6 (0x40059000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ncurses ignores the buffer parameter to tgetent() that is usable for
exploits.
Note that this doesn't mean everything is safe; there are still
exploitable programs linked with libtermcap. But in.telnetd as delivered
with RH6.0 is fine in this respect.
-Tymm
On Sun, 4 Jul 1999, Michal Zalewski wrote:
> On Tue, 17 Aug 1999, Bill Nottingham wrote:
>
> > A buffer overflow existed in libtermcap's tgetent() function,
> > which could cause the user to execute arbitrary code if they
> > were able to supply their own termcap file.
> >
> > Under Red Hat Linux 5.2 and 4.2, this could lead to local users
> > gaining root privileges, as xterm (as well as other possibly
> > setuid programs) are linked against libtermcap. Under Red Hat
> > Linux 6.0, xterm is not setuid root.
> >
> > Thanks go to Kevin Vajk and the Linux Security Audit team for
> > noting and providing a fix for this vulnerability.
>
> So, here I am.
>
> Well, as this vunerability become well-known, I have nothing to loose,
> enjoy: most of terminfo-based programs will accept TERM variable set to
> eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> file', set TERM, then execute vunerable program w/terminfo support. In
> fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> other recent distributions based on terminfo entries/, is vunerable... And
> TERM variable can be passed using telnet ENVIRON option during protocol
> negotiation before login procedure... Guess what?;) Almost remote root
> (well, all you have to do locally is puting /tmp/x).
>
> _______________________________________________________________________
> Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
> [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
> [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
> Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
>
