Michal Zalewski wrote: > Well, as this vunerability become well-known, I have nothing to loose, > enjoy: most of terminfo-based programs will accept TERM variable set to > eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap > file', set TERM, then execute vunerable program w/terminfo support. In > fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many > other recent distributions based on terminfo entries/, is vunerable... And > TERM variable can be passed using telnet ENVIRON option during protocol > negotiation before login procedure... Guess what?;) Almost remote root > (well, all you have to do locally is puting /tmp/x). Are you referring to terminfo or termcap? They are designed differently, refer to different files and use different code. Regards, Joey -- GNU does not eliminate all the world's problems, only some of them. -- The GNU Manifesto
- [RHSA-1999:028-01] Buffer overflow in libtermcap tge... Bill Nottingham
- Re: [RHSA-1999:028-01] Buffer overflow in libte... Michal Zalewski
- Re: [RHSA-1999:028-01] Buffer overflow in l... Michal Zalewski
- Re: [RHSA-1999:028-01] Buffer overflow ... Tymm Twillman
- Re: [RHSA-1999:028-01] Buffer overf... Michal Zalewski
- Re: [RHSA-1999:028-01] Buffer overflow ... Olaf Kirch
- Re: [RHSA-1999:028-01] Buffer overflow in l... Martin Schulze
- Re: [RHSA-1999:028-01] Buffer overflow in l... Aaron Campbell
- Re: [RHSA-1999:028-01] Buffer overflow ... Alan Cox
- Re: [RHSA-1999:028-01] Buffer overf... Kurt Wall
- Re: [RHSA-1999:028-01] Buffer ... Carlo M. Arenas Belon
- libtermcap exploit fix ... smashcap... Hudin Lucian
- Re: [RHSA-1999:028-01] Buffer overf... Pavel Kankovsky
- Re: [RHSA-1999:028-01] Buffer overflow in l... Tymm Twillman
- Re: [RHSA-1999:028-01] Buffer overflow in libte... Olaf Kirch
- Re: [RHSA-1999:028-01] Buffer overflow in l... Martin Schulze