[5714] in bugtraq
Re: in.telnetd bug (linux)
daemon@ATHENA.MIT.EDU (Aaron Campbell)
Mon Dec 1 17:12:03 1997
Date: Thu, 27 Nov 1997 17:22:51 -0400
Reply-To: Aaron Campbell <aaron@ug.cs.dal.ca>
From: Aaron Campbell <aaron@UG.CS.DAL.CA>
X-To: kgb <kgb@HOBBIT.OVERLOADED.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.971125155104.24808A-100000@hobbit.overloaded.net>
This post made me a little curious so I did some investigating.
I tried setting my TERM variable: export TERM="../../../home/fx/mytermfile"
(I needed to move three parent directories backward to the root directory
since on my Slackware box the database is located in /usr/lib/terminfo.)
[16:24:42] aaron@ug:~$ export TERM="../../../home/fx/mytermfile"
[16:24:53] aaron@ug:~$ telnet XXX.XXX.XXX.XXX
Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.
Connection closed by foreign host.
[16:25:21] aaron@ug:~$
Examination of the /core file dumped by in.telnetd (strings core) revealed
this line:
/usr/lib/terminfo/./../../../home/
It was cut off. Notice there is apparantly enough room for ../../../tmp/x
though.
cp /usr/lib/terminfo/v/vt100 /tmp/x
Set our TERM variable again: export TERM="../../../tmp/x"
Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.
Linux 2.0.32.
login:
It worked. This also works:
cp /usr/lib/terminfo/v/vt100 /home/fx/vt100
ln -s /home/fx/vt100 /tmp/x
...and using the same TERM variable, in.telnetd will acknowledge the
copied /home/fx/vt100 terminfo file.
So the question is, how dangerous could a user-supplied terminfo file be?
. _ _ _ _ . . _ _ . . _ _ _ . .
: |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ Dalhousie University, Halifax, NS
`----------------------------------------------[fx!aaron@ug.cs.dal.ca]-----
