From owner-freebsd-security Tue Nov 7 1: 4:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 69B2937B479 for ; Tue, 7 Nov 2000 01:04:01 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eA793rE20149; Tue, 7 Nov 2000 04:03:53 -0500 (EST) Date: Tue, 7 Nov 2000 04:03:53 -0500 (EST) From: Trevor Johnson To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's a draft of an advisory. ============================================================================= FreeBSD-SA-00:67 Security Advisory FreeBSD, Inc. Topic: ncurses library is subject to buffer overflows Category: core Modules: contrib_ncurses libncurses ncurses Announced: 2000-10-09 Credits: Jouko_Pynnonen Affects: FreeBSD 4.x and 5.0 systems from after 2000-07-03 but prior to the correction date; probably earlier 4.x and 5.0 systems or systems with the ncurses port installed; possibly 2.x and 3.x systems Corrected: 2000-10-11 (FreeBSD 5.0-CURRENT) 2000-10-12 (FreeBSD 4.1.1-STABLE) Vendor status: Patch released FreeBSD only: NO I. Background The ncurses library is a set of routines for working with character-mode terminals in a portable, device-independent way. In FreeBSD, it is distributed as part of the base system and also in the ports collection (devel/ncurses). Version 5.1-20000701 of ncurses is known to have buffer overflows. It was added to the RELENG_4 and -CURRENT sources on 2000-07-03. Older versions of ncurses have been reported as having the same vulnerabilities. In particular, ncurses 4.2 has been reported to be vulnerable. It is present in the ncurses port. Also, ncurses 5.0 has reported to be vulnerable. It was introduced to FreeBSD 4.0-CURRENT on 1999-08-24. The older libcurses present in FreeBSD 2.x and 3.x has not been sufficiently tested for the vulnerabilities discussed in this advisory. However, according to a report by Valentin Nechayev, FreeBSD 3.5-STABLE does not exhibit them. II. Problem Description Due to use of the strcpy() function, data from a malformed terminfo file placed in a user's ~/.terminfo/ directory can overflow a buffer used by the ncurses library. III. Impact If an SGID/SUID command is linked to the library, the bug can be exploited to give the user elevated privilege. Reportedly, the telnet daemon in OpenBSD could be made to disclose the contents of read-protected files, or to cause a denial of service, by setting the TERMCAP environmental variable. Although FreeBSD's telnet daemon also is linked to libncurses, it has not been found to have this problem. An exploit is available for the systat command, which is part of the FreeBSD base system. Other commands, both in the base system and in the ports collection, may be vulnerable. Examples are /usr/bin/top and /usr/sbin/lpc in the base system, /usr/local/bin/mutt_dotlock from the mail/mutt port, and /usr/X11R6/bin/xterm from various XFree86 ports. IV. Workaround Remove SUID or SGID bits from, or deinstall, ncurses-based commands which have such privileges. V. Solution Upgrade your vulnerable FreeBSD 4.x or 5.0 system to a version of FreeBSD from after the correction date (see http://www.freebsd.org/handbook/makeworld.html for more information about upgrading FreeBSD from source). If you have installed the ncurses port and linked any privileged commands to it, deinstall the port and recompile the commands against the fixed ncurses in the base system. =============================================================================== On Tue, 10 Oct 2000, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > ------- Forwarded Message > > [headers deleted] > Message-ID: i> > Date: Mon, 9 Oct 2000 22:42:49 +0300 > Reply-To: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= > Sender: Bugtraq List > From: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= > Subject: ncurses buffer overflows > To: BUGTRAQ@SECURITYFOCUS.COM > X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by > passer.osg.gov.bc.ca id e99LWVm00922 > Resent-To: cy@passer.osg.gov.bc.ca > Resent-Date: Mon, 09 Oct 2000 14:32:31 -0700 > Resent-From: Cy Schubert > X-MIME-Autoconverted: from 8bit to quoted-printable by > passer.osg.gov.bc.ca id e99LXWh00934 > Content-Transfer-Encoding: 8bit > X-MIME-Autoconverted: from quoted-printable to 8bit by cwsys.cwsent.com > id e99LXpR01317 > > OVERVIEW > > The CRT screen handling library ncurses contains buffer overflows, > making programs using it vulnerable. If the programs are setuid or > setgid, a local user may elevate their privilege. The problem exists in > ncurses versions 4.2 and 5.0, probably earlier, and libocurses. The > overflows can be exploited if the library implementation supports > loading of user defined terminfo files from ~/.terminfo. > > The problem has been tested and found on > > * SuSE Linux 6.4, Red Hat Linux 6.1. A setuid program using ncurses > ("cda" in the xmcd package) was successfully exploited to spawn a > root shell. > > * FreeBSD, the program /usr/bin/systat is setgid and uses libncurses. > An exploit was made which gives a shell with egid=kmem. The kmem > group has read access to /dev/kmem and memory of all processes via > /proc//mem, and could be used to read e.g. crypted or > cleartext passwords, authorization keys, or any other info that > might be in programs' memory space. > > * OpenBSD, having /usr/bin/systat setgid kmem too. No test exploit > was made, but the program segfaults when given an "evil" terminfo > file. Making a similar exploit is probably possible. This applies to > other BSD systems as well, but haven't been tested or confirmed. > > All programs using ncurses aren't necessarily vulnerable, e.g. "screen" > is setuid root on some systems and uses ncurses, but it doesn't seem to > use the vulnerable functions at least directly (investigated on Red Hat > Linux, other systems may vary). > > When using telnet to connect to a remote system, telnetd on some > platforms doesn't ignore TERMINFO_DIRS or TERMCAP environment variables > (e.g. OpenBSD). This means the problem could be remotely exploitable > under some conditions on some platforms. This hasn't been confirmed with > an exploit, however by setting TERMCAP the OpenBSD telnetd can be made > read any file as root. If the file is something like /dev/zero, the > telnetd process reads it infinitely until the system runs out of memory. > > > > BUG DETAILS > > The file ncurses/tty/lib_mvcur.c contains functions for moving around > the cursor. Some of the functions contain calls to strcpy() without > bound checking. The target of the strcpy's is a local fixed size buffer > in onscreen_mvcur(): > > static inline int > onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw) > /* onscreen move from (yold, xold) to (ynew, xnew) */ > { > char use[OPT_SIZE], *sp; > > > ... a few lines later: > > sp = tparm(SP->_address_cursor, ynew, xnew); > if (sp) > { > tactic = 0; > (void) strcpy(use, sp); > > > The function tparm() returns a control string for screen manipulation, > originating from the terminfo file read according to the environment > variables TERM and TERMINFO_DIRS. Even though ncurses implementations > on some platforms reportedly ignore TERMINFO_DIRS while running > setuid/setgid, they check ~/.terminfo/ for the capability files in any > case. > > OPT_SIZE seems to be defined as 512. tparm() can be made return a > string of arbitrary length containing arbitrary data, so exploitation is > usually quite trivial. There are a few of similar strcpy() calls in > other functions in the file. Many other ncurses functions may also call > the cursor moving functions (e.g. endwin()) so in order to be > vulnerable, a program needn't call mvcur(). > > > > SOLUTION > > The authors of ncurses and OS vendors have been informed over a week > ago and they have, or will release fix packages shortly. > > > > TEMPORARY WORKAROUND > > A temporary solution is to remove the setuid/setgid bits of programs > using ncurses. To check if a program uses ncurses, type (on most > systems): > > ldd /path/to/program > > If libncurses or libocurses is mentioned in the library listing and the > program is setuid/setgid, then there's a possibility for it to be > exploited. If 'ldd' doesn't exist on the system (or the program is > statically linked) you can try something like > > grep -li TERMINFO /path/to/program > > If it outputs the file path, the program probably uses ncurses or > derivative. > > To remove the setuid/setgid bits, issue the command: > > chmod ug-s /path/to/file > > > > CREDITS AND ACKNOWLEDGEMENTS > > Vulnerability discovered by: Jouko Pynnönen > > Thanks and greets to: Emil Valsson (for providing a FreeBSD test box), > Esa Etelävuori, ncurses people, cc-opers@IRCNet > > > > - -- > Jouko Pynnönen Online Solutions Ltd Secure your Linux - > jouko@solutions.fi http://www.secmod.com > > ------- End of Forwarded Message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message