[5425] in bugtraq
Re: SNI-20: Telnetd tgetent vulnerability
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Wed Oct 22 02:16:25 1997
Date: Tue, 21 Oct 1997 19:58:42 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 21 Oct 1997 18:24:02 MDT."
<Pine.BSI.3.96.971021182323.367A-100000@silence.secnet.com>
> A vulnerability in the tgetent(3) library routine can result in a
> buffer overflow in the telnet daemon on some BSD derived systems.
This same problem appears to be exploitable as a localhost attack
against the program xterm. This is setuid root on a lot of systems,
and if tgetent(3) has the overflow problems, the same problem can be
exploited there.
On BSD systems, it is likely this could also have been exploited in
systat(8) to gain gid kmem permissions.
I've not confirmed these probelms... I don't write shell code, I just
fix the bugs ;-)
