Date: Tue, 7 Nov 2000 04:03:53 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <Pine.BSI.4.21.0011070358150.17172-100000@blues.jpj.net> In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here's a draft of an advisory.
=============================================================================
FreeBSD-SA-00:67 Security Advisory
FreeBSD, Inc.
Topic: ncurses library is subject to buffer overflows
Category: core
Modules: contrib_ncurses libncurses ncurses
Announced: 2000-10-09
Credits: Jouko_Pynnonen <jouko@solutions.fi>
Affects: FreeBSD 4.x and 5.0 systems from after 2000-07-03 but prior to
the correction date; probably earlier 4.x and 5.0 systems or
systems with the ncurses port installed; possibly 2.x and 3.x
systems
Corrected: 2000-10-11 (FreeBSD 5.0-CURRENT)
2000-10-12 (FreeBSD 4.1.1-STABLE)
Vendor status: Patch released
FreeBSD only: NO
I. Background
The ncurses library is a set of routines for working with character-mode
terminals in a portable, device-independent way. In FreeBSD, it is distributed
as part of the base system and also in the ports collection (devel/ncurses).
Version 5.1-20000701 of ncurses is known to have buffer overflows. It was
added to the RELENG_4 and -CURRENT sources on 2000-07-03. Older versions of
ncurses have been reported as having the same vulnerabilities. In particular,
ncurses 4.2 has been reported to be vulnerable. It is present in the ncurses
port. Also, ncurses 5.0 has reported to be vulnerable. It was introduced to
FreeBSD 4.0-CURRENT on 1999-08-24. The older libcurses present in FreeBSD 2.x
and 3.x has not been sufficiently tested for the vulnerabilities discussed in
this advisory. However, according to a report by Valentin Nechayev, FreeBSD
3.5-STABLE does not exhibit them.
II. Problem Description
Due to use of the strcpy() function, data from a malformed terminfo file placed
in a user's ~/.terminfo/ directory can overflow a buffer used by the ncurses
library.
III. Impact
If an SGID/SUID command is linked to the library, the bug can be exploited to
give the user elevated privilege. Reportedly, the telnet daemon in OpenBSD
could be made to disclose the contents of read-protected files, or to cause a
denial of service, by setting the TERMCAP environmental variable. Although
FreeBSD's telnet daemon also is linked to libncurses, it has not been found to
have this problem.
An exploit is available for the systat command, which is part of the FreeBSD
base system. Other commands, both in the base system and in the ports
collection, may be vulnerable. Examples are /usr/bin/top and /usr/sbin/lpc in
the base system, /usr/local/bin/mutt_dotlock from the mail/mutt port, and
/usr/X11R6/bin/xterm from various XFree86 ports.
IV. Workaround
Remove SUID or SGID bits from, or deinstall, ncurses-based commands which have
such privileges.
V. Solution
Upgrade your vulnerable FreeBSD 4.x or 5.0 system to a version of FreeBSD from
after the correction date (see http://www.freebsd.org/handbook/makeworld.html
for more information about upgrading FreeBSD from source). If you have
installed the ncurses port and linked any privileged commands to it, deinstall
the port and recompile the commands against the fixed ncurses in the base
system.
===============================================================================
On Tue, 10 Oct 2000, Cy Schubert - ITSD Open Systems Group wrote:
> For those of you who don't subscribe to BUGTRAQ, here's a heads up.
>
>
> Regards, Phone: (250)387-8437
> Cy Schubert Fax: (250)387-5766
> Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
>
>
> ------- Forwarded Message
>
> [headers deleted]
> Message-ID: <Pine.LNX.4.10.10010092242140.27629-100000@shell.solutions.f
> i>
> Date: Mon, 9 Oct 2000 22:42:49 +0300
> Reply-To: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= <jouko@SOLUTIONS.FI>
> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
> From: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= <jouko@SOLUTIONS.FI>
> Subject: ncurses buffer overflows
> To: BUGTRAQ@SECURITYFOCUS.COM
> X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by
> passer.osg.gov.bc.ca id e99LWVm00922
> Resent-To: cy@passer.osg.gov.bc.ca
> Resent-Date: Mon, 09 Oct 2000 14:32:31 -0700
> Resent-From: Cy Schubert <cschuber@osg.gov.bc.ca>
> X-MIME-Autoconverted: from 8bit to quoted-printable by
> passer.osg.gov.bc.ca id e99LXWh00934
> Content-Transfer-Encoding: 8bit
> X-MIME-Autoconverted: from quoted-printable to 8bit by cwsys.cwsent.com
> id e99LXpR01317
>
> OVERVIEW
>
> The CRT screen handling library ncurses contains buffer overflows,
> making programs using it vulnerable. If the programs are setuid or
> setgid, a local user may elevate their privilege. The problem exists in
> ncurses versions 4.2 and 5.0, probably earlier, and libocurses. The
> overflows can be exploited if the library implementation supports
> loading of user defined terminfo files from ~/.terminfo.
>
> The problem has been tested and found on
>
> * SuSE Linux 6.4, Red Hat Linux 6.1. A setuid program using ncurses
> ("cda" in the xmcd package) was successfully exploited to spawn a
> root shell.
>
> * FreeBSD, the program /usr/bin/systat is setgid and uses libncurses.
> An exploit was made which gives a shell with egid=kmem. The kmem
> group has read access to /dev/kmem and memory of all processes via
> /proc/<pid>/mem, and could be used to read e.g. crypted or
> cleartext passwords, authorization keys, or any other info that
> might be in programs' memory space.
>
> * OpenBSD, having /usr/bin/systat setgid kmem too. No test exploit
> was made, but the program segfaults when given an "evil" terminfo
> file. Making a similar exploit is probably possible. This applies to
> other BSD systems as well, but haven't been tested or confirmed.
>
> All programs using ncurses aren't necessarily vulnerable, e.g. "screen"
> is setuid root on some systems and uses ncurses, but it doesn't seem to
> use the vulnerable functions at least directly (investigated on Red Hat
> Linux, other systems may vary).
>
> When using telnet to connect to a remote system, telnetd on some
> platforms doesn't ignore TERMINFO_DIRS or TERMCAP environment variables
> (e.g. OpenBSD). This means the problem could be remotely exploitable
> under some conditions on some platforms. This hasn't been confirmed with
> an exploit, however by setting TERMCAP the OpenBSD telnetd can be made
> read any file as root. If the file is something like /dev/zero, the
> telnetd process reads it infinitely until the system runs out of memory.
>
>
>
> BUG DETAILS
>
> The file ncurses/tty/lib_mvcur.c contains functions for moving around
> the cursor. Some of the functions contain calls to strcpy() without
> bound checking. The target of the strcpy's is a local fixed size buffer
> in onscreen_mvcur():
>
> static inline int
> onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw)
> /* onscreen move from (yold, xold) to (ynew, xnew) */
> {
> char use[OPT_SIZE], *sp;
>
>
> ... a few lines later:
>
> sp = tparm(SP->_address_cursor, ynew, xnew);
> if (sp)
> {
> tactic = 0;
> (void) strcpy(use, sp);
>
>
> The function tparm() returns a control string for screen manipulation,
> originating from the terminfo file read according to the environment
> variables TERM and TERMINFO_DIRS. Even though ncurses implementations
> on some platforms reportedly ignore TERMINFO_DIRS while running
> setuid/setgid, they check ~/.terminfo/ for the capability files in any
> case.
>
> OPT_SIZE seems to be defined as 512. tparm() can be made return a
> string of arbitrary length containing arbitrary data, so exploitation is
> usually quite trivial. There are a few of similar strcpy() calls in
> other functions in the file. Many other ncurses functions may also call
> the cursor moving functions (e.g. endwin()) so in order to be
> vulnerable, a program needn't call mvcur().
>
>
>
> SOLUTION
>
> The authors of ncurses and OS vendors have been informed over a week
> ago and they have, or will release fix packages shortly.
>
>
>
> TEMPORARY WORKAROUND
>
> A temporary solution is to remove the setuid/setgid bits of programs
> using ncurses. To check if a program uses ncurses, type (on most
> systems):
>
> ldd /path/to/program
>
> If libncurses or libocurses is mentioned in the library listing and the
> program is setuid/setgid, then there's a possibility for it to be
> exploited. If 'ldd' doesn't exist on the system (or the program is
> statically linked) you can try something like
>
> grep -li TERMINFO /path/to/program
>
> If it outputs the file path, the program probably uses ncurses or
> derivative.
>
> To remove the setuid/setgid bits, issue the command:
>
> chmod ug-s /path/to/file
>
>
>
> CREDITS AND ACKNOWLEDGEMENTS
>
> Vulnerability discovered by: Jouko Pynnönen <jouko@solutions.fi>
>
> Thanks and greets to: Emil Valsson (for providing a FreeBSD test box),
> Esa Etelävuori, ncurses people, cc-opers@IRCNet
>
>
>
> - --
> Jouko Pynnönen Online Solutions Ltd Secure your Linux -
> jouko@solutions.fi http://www.secmod.com
>
> ------- End of Forwarded Message
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.21.0011070358150.17172-100000>