Michal Zalewski wrote:
> Well, as this vunerability become well-known, I have nothing to loose,
> enjoy: most of terminfo-based programs will accept TERM variable set to
> eg. '../../../tmp/x'. All we have to do is to provide 'our own termcap
> file', set TERM, then execute vunerable program w/terminfo support. In
> fact, in.telnetd daemon shipped eg. with RH 6.0 /as well as with many
> other recent distributions based on terminfo entries/, is vunerable... And
> TERM variable can be passed using telnet ENVIRON option during protocol
> negotiation before login procedure... Guess what?;) Almost remote root
> (well, all you have to do locally is puting /tmp/x).
Are you referring to terminfo or termcap? They are designed differently,
refer to different files and use different code.
Regards,
Joey
--
GNU does not eliminate all the world's problems, only some of them.
-- The GNU Manifesto
- [RHSA-1999:028-01] Buffer overflow in libtermcap tge... Bill Nottingham
- Re: [RHSA-1999:028-01] Buffer overflow in libte... Michal Zalewski
- Re: [RHSA-1999:028-01] Buffer overflow in l... Michal Zalewski
- Re: [RHSA-1999:028-01] Buffer overflow ... Tymm Twillman
- Re: [RHSA-1999:028-01] Buffer overf... Michal Zalewski
- Re: [RHSA-1999:028-01] Buffer overflow ... Olaf Kirch
- Re: [RHSA-1999:028-01] Buffer overflow in l... Martin Schulze
- Re: [RHSA-1999:028-01] Buffer overflow in l... Aaron Campbell
- Re: [RHSA-1999:028-01] Buffer overflow ... Alan Cox
- Re: [RHSA-1999:028-01] Buffer overf... Kurt Wall
- Re: [RHSA-1999:028-01] Buffer ... Carlo M. Arenas Belon
- libtermcap exploit fix ... smashcap... Hudin Lucian
- Re: [RHSA-1999:028-01] Buffer overf... Pavel Kankovsky
- Re: [RHSA-1999:028-01] Buffer overflow in l... Tymm Twillman
- Re: [RHSA-1999:028-01] Buffer overflow in libte... Olaf Kirch
- Re: [RHSA-1999:028-01] Buffer overflow in l... Martin Schulze
