[3738] in bugtraq
sunos rlogin
daemon@ATHENA.MIT.EDU (Roger Espel Llima)
Wed Dec 4 12:58:31 1996
Date: Wed, 4 Dec 1996 13:26:32 +0100
Reply-To: Roger Espel Llima <espel@clipper.ens.fr>
From: Roger Espel Llima <espel@clipper.ens.fr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Can anyone make something out of this? (works on SunOS 4.1.3 and
Solaris 2.5, at least, and not on Linux or current NetBSD):
$ TERM=`perl -e 'print "x" x 1000'`
zsh: can't find termcap info for xxx[...]
$ rlogin localhost
zsh: segmentation fault rlogin localhost
a quick look at what rlogin does (with the help of a libc tracing tool)
shows that it first does a strcpy of getenv("TERM") into a fixed
position in the data segment, and then a strcat of a "/" and a string
(the speed of the terminal) on it. There are few symbols after the
position where TERM gets copied in memory (mostly just the various
diagnostic messages), and at that point in the execution there doesn't
seem to be anything much of use in the BSS (which is 8k further down in
memory).... so it doesn't look like the bug can be exploited... but
maybe someone will find a way :-).
-Roger
--
e-mail: roger.espel.llima@ens.fr
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
