[17136] in bugtraq
Re: ncurses buffer overflows
daemon@ATHENA.MIT.EDU (Harrington, Perry)
Tue Oct 10 13:35:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200010100022.RAA16024@eris>
Date: Mon, 9 Oct 2000 17:22:34 -0700
Reply-To: pedward@WEBCOM.COM
From: "Harrington, Perry" <pedward@WEBCOM.COM>
X-To: jouko@solutions.fi
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10010092242140.27629-100000@shell.solutions.fi>
from "=?iso-8859-1?Q?Jouko_Pynn=F6nen?=" at Oct 09,
2000 10:42:49 PM
This brings up an interesting piece of history. When the whole LD_PRELOAD
haX0ring came about, people jumped on the wagon and fixed the ld library.
However, this same trick can be used by a SA to plug potential security
holes:
libary: ncurses_fix.c
tparm(....)
char *buffer;
buffer = __tparm(....);
if (strlen(buffer) > OPT_SIZE) {
ack choke, exit proggie and log to syslog, email SA
}
return buffer;
}
This is just a generic piece of code, but it can apply to any unchecked
parameter problem.
I would consider using this method on proprietary OSes that don't respond
quickly to potential threats.
So anyhow, compile into an SO (gcc -shared) and edit your preload file
in /etc.
--Perry
> static inline int
> onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw)
> /* onscreen move from (yold, xold) to (ynew, xnew) */
> {
> char use[OPT_SIZE], *sp;
>
>
> =2E.. a few lines later:
>
> sp =3D tparm(SP->_address_cursor, ynew, xnew);
> if (sp)
> {
> tactic =3D 0;
> (void) strcpy(use, sp);
>
>
> OPT_SIZE seems to be defined as 512. tparm() can be made return a
--
Perry Harrington Director of zelur xuniL ()
perry@webcom.com System Architecture Think Blue. /\
