Ncurses multiple buffer overflows (Patch available)
------------------------------------------------------------------------
SUMMARY
The CRT screen handling library ncurses contains several buffer
overflows
problems, making programs using it vulnerable to exploits. If the
programs
are setuid or setgid, a local user may elevate their privilege. The
problem exists in ncurses versions 4.2 and 5.0 (and probably in
earlier),
and in libocurses. The overflows can be exploited if the library
implementation supports loading of user defined terminfo files from
~/.terminfo.
DETAILS
Vulnerable systems:
SuSE Linux 6.4 (using the program cda)
Red Hat Linux 6.1 (using the program cda)
FreeBSD (using the program /usr/bin/systat)
OpenBSD (using the program /usr/bin/systat)
Caldera Linux
Immune systems:
NetBSD
The file ncurses/tty/lib_mvcur.c contains functions for moving around
the
cursor. Some of the functions contain calls to strcpy() without bound
checking. The target of the strcpy's is a local fixed size buffer in
onscreen_mvcur():
static inline int onscreen_mvcur(int yold,int xold,int ynew,int xnew,
bool
ovw)
/* onscreen move from (yold, xold) to (ynew, xnew) */
{
char use[OPT_SIZE], *sp;
.. a few lines later:
sp = tparm(SP->_address_cursor, ynew, xnew);
if (sp)
{
tactic = 0;
(void) strcpy(use, sp);
The function tparm() returns a control string for screen manipulation,
originating from the terminfo file read according to the environment
variables TERM and TERMINFO_DIRS. Even though ncurses implementations on
some platforms reportedly ignore TERMINFO_DIRS while running
setuid/setgid, they check ~/.terminfo/ for the capability files in any
case.
OPT_SIZE seems to be defined as 512. tparm() can be made return a string
of arbitrary length containing arbitrary data, so exploitation is
usually
quite trivial. There are a few of similar strcpy() calls in other
functions in the file. Many other ncurses functions may also call the
cursor moving functions (e.g. endwin()) so in order to be vulnerable, a
program needn't call mvcur().
General Note:
Not all programs using ncurses are necessarily vulnerable. For example,
"screen" is setuid root on some systems and uses ncurses, but it does
not
seem to use the vulnerable functions directly (investigated on Red Hat
Linux, may vary on other systems).
When using telnet to connect to a remote system, telnetD on some
platforms
does not ignore TERMINFO_DIRS or TERMCAP environment variables (e.g.
OpenBSD). This means the problem could be remotely exploitable under
some
conditions on some platforms. This has not been confirmed with an
exploit,
however by setting TERMCAP the OpenBSD telnetD can be made read any file
as root. If the file is something like /dev/zero, the telnetD process
reads it infinitely until the system runs out of memory.
Temporary workaround:
A temporary solution is to remove the setuid/setgid bits of programs
using
ncurses. To check if a program uses ncurses, type (on most systems):
$ ldd /path/to/program
If libncurses or libocurses is mentioned in the library listing and the
program is setuid/setgid, then there is a possibility for it to be
exploited. If 'ldd' does not exist on the system (or the program is
statically linked) you can try something like
$ grep -li TERMINFO /path/to/program
If it outputs the file path, the program probably uses ncurses or
derivative.
To remove the setuid/setgid bits, issue the command:
$ chmod ug-s /path/to/file
Patch:
Caldera Linux:
OpenLinux Desktop 2.3
The upgrade packages can be found on Caldera's FTP site at:
<ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/>
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
<ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS>
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/ncurses-4.2-6.i386.rpm
RPMS/ncurses-devel-4.2-6.i386.rpm
RPMS/ncurses-devel-static-4.2-6.i386.rpm
RPMS/ncurses-termcap-devel-4.2-6.i386.rpm
RPMS/ncurses-termcap-devel-static-4.2-6.i386.rpm
SRPMS/ncurses-4.2-6.src.rpm
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0:
The upgrade packages can be found on Caldera's FTP site at:
<ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/>
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
<ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS>
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/ncurses-4.2-6.i386.rpm
RPMS/ncurses-devel-4.2-6.i386.rpm
RPMS/ncurses-devel-static-4.2-6.i386.rpm
RPMS/ncurses-termcap-devel-4.2-6.i386.rpm
RPMS/ncurses-termcap-devel-static-4.2-6.i386.rpm
SRPMS/ncurses-4.2-6.src.rpm
OpenLinux eDesktop 2.4:
The upgrade packages can be found on Caldera's FTP site at:
<ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/>
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
<ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS>
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/ncurses-4.2-6.i386.rpm
RPMS/ncurses-devel-4.2-6.i386.rpm
RPMS/ncurses-devel-static-4.2-6.i386.rpm
RPMS/ncurses-termcap-devel-4.2-6.i386.rpm
RPMS/ncurses-termcap-devel-static-4.2-6.i386.rpm
SRPMS/ncurses-4.2-6.src.rpm
--
Eko Sulistiono
MIKRODATA & AntiVirus Media
Web: http://www.mikrodata.co.id/
WAP: http://www.mikrodata.co.id/wap/index.wml
This message contains no viruses. Guaranteed by AVP.
------------------------------------------------------------------------
Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM)
Informasi : http:[EMAIL PROTECTED]
Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/
WAP : http://mikrodata.co.id/wap/index.wml
Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA.
Termasuk rubrik-rubrik yang ada di media lain.
Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah
tindakan kriminal.
Please check with the latest AVP update before you ask about virus:
ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
