On Tue, 17 Aug 1999, Bill Nottingham wrote:
> A buffer overflow existed in libtermcap's tgetent() function,
> which could cause the user to execute arbitrary code if they
> were able to supply their own termcap file.
>
> Under Red Hat Linux 5.2 and 4.2, this could lead to local users
> gaining root privileges, as xterm (as well as other possibly
> setuid programs) are linked against libtermcap. Under Red Hat
> Linux 6.0, xterm is not setuid root.
>
> Thanks go to Kevin Vajk and the Linux Security Audit team for
> noting and providing a fix for this vulnerability.
So, here I am.
Well, as this vunerability become well-known, I have nothing to loose,
enjoy: most of terminfo-based programs will accept TERM variable set to
eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
file', set TERM, then execute vunerable program w/terminfo support. In
fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
other recent distributions based on terminfo entries/, is vunerable... And
TERM variable can be passed using telnet ENVIRON option during protocol
negotiation before login procedure... Guess what?;) Almost remote root
(well, all you have to do locally is puting /tmp/x).
_______________________________________________________________________
Michal Zalewski [[EMAIL PROTECTED]] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
