[4769] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Nicolas Dubee)
Mon Jun 23 11:53:14 1997
Date: Sat, 1 Jan 1994 05:00:35 +0100
Reply-To: dube0866@EUROBRETAGNE.FR
From: Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
To: BUGTRAQ@NETSPACE.ORG
ncurses-1.9.9e buffer overflow
Hi,
as always, sorry if it's known stuff.
There is a buffer overflow in ncurses 1.9.9e and older,
a "terminal independant screen-painting subroutines library".
This buffer overflow _may_ not be exploitable, since it is
in the main() function of the 'move cursor' library.
Anyway, here are the technical details.
Check lib_mvcur.c, main() function, line 1128:
[...] (void)strcpy(tname, getenv("TERM")); [...]
then, same thing on line 1204.
The TERM environment variable is copied to tname, which is
defined as char tname[BUFSIZE]. Setting TERM to a value
with length higher than BUFSIZ (1024) will result in a
buffer overflow. All programs using ncurses-1.9.9e or
previous are vulnerable, including suid ones.
The other calls to 'getenv' seem pretty secure.
I haven't tried to exploit it yet, it should be quite
difficult since the overflow occurs in the main() function.
Patch:
copy this to the directory where lib_mvcur.c is, apply the patch
and rebuild ncurses and any potential target that uses
ncurses.
1128c1128
< (void) strcpy(tname, getenv("TERM"));
---
> (void) strncpy(tname, getenv("TERM"),sizeof(tname));
1204c1204
< (void) strcpy(tname, getenv("TERM"));
---
> (void) strncpy(tname, getenv("TERM"),sizeof(tname));
p.s.: i'm sorry for the date/time of this message, lots of
people wrote me about this last time, but if you know a
patch that will prevent this shitty AWARD Modular (tm)
Bios to crash my CMOS whenever i halt or reboot Linux, please
let me know.
p.s.2: if you had a job for me :) ...
------------------------
plaguez / libpcap
dube0866@eurobretagne.fr
http://www.innu.org
------------------------
ln -sf flames /dev/null
