[9586] in bugtraq
Re: mc & Segmentation fault
daemon@ATHENA.MIT.EDU (Sw3)
Mon Feb 15 04:42:36 1999
Date: Sat, 13 Feb 1999 23:49:29 -0400
Reply-To: Sw3 <sw3wn@CSOFT.NET>
From: Sw3 <sw3wn@CSOFT.NET>
X-To: shaman <shaman@SEAL.PL>
To: BUGTRAQ@NETSPACE.ORG
shaman wrote:
>
> Some days ago i discovered something..If you export TERM with the name for
> example "buqtraq" and you will start Midnight Commander you will see
> something like this:
>
> localhost:~$ export TERM="bugtraq"
> localhost:~$ mc
> Unknown terminal: buqtraq
> Check the TERM environment variable.
> Also make sure that the terminal is defined in the terminfo database.
> Alternatively, set the TERMCAP environment variable to the desired
> termcap entry.
>
> But if the name of the TERM will include over 227 characters you will see
> something different:
> localhost:~$ export TERM="bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
> bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
> bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
> bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
> bugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraqbugtraq
> "
> localhost:~$ mc
> Segmentation fault
> localhost:~$
>
> I don`t know if it is interesting and i haven`t try do exploiting it but
> maybe someone....
> I have tested it only on Slackware 3.5.
This is clearly a buffer overflow, but not a security compromise, since
it's
not remote exploitable nor suid anything.
I checked it out, it seems to be a stack overflow, ie. the program
counter is just next to it, quite common. I contacted the authors about
it.
--
Julien Nadeau | sw3wn@csoft.net
Proof of concept | "A complex solution to a simple problem"
http://poc.csoft.net | [http://www.csoft.net/~sw3wn]
