On Sun, 4 Jul 1999, Michal Zalewski wrote:
> Well, as this vunerability become well-known, I have nothing to loose,
> enjoy: most of terminfo-based programs will accept TERM variable set to
> eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> file', set TERM, then execute vunerable program w/terminfo support. In
> fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> other recent distributions based on terminfo entries/, is vunerable... And
That's nothing new, I pointed that out on Bugtraq nearly 2 years ago in
November 1997. In fact, that's the same example I used (../../../tmp/x).
On my test system at the time (Slackware), longer pathnames would be
chopped off at the end.
In general, I consider it dangerous for a program running with elevated
privileges to trust a user-supplied terminfo/termcap file. Last year I
found a buffer overflow in ncurses and OpenBSD was changed to not trust
user-supplied term files when the invoked program is setuid/setgid. A
reasonable precaution; too much could go wrong otherwise.
I also discovered a divide-by-zero bug (again, tickled only by a malformed
terminfo file), which isn't as serious, but could be used to crash some
programs, etc. This was also reported and fixed...
.
: Aaron Campbell <[EMAIL PROTECTED]> - [ http://www.biodome.org/~fx ]
`-------------------------------------------------------------------
