Date: Mon, 17 Mar 1997 11:26:57 -0700 From: "Aaron D. Gifford" <agifford@infowest.com> To: security@freebsd.org Subject: Fwd: Security bug (buffer overflow) in lib/libterm/tgoto.c Message-ID: <3.0.1.32.19970317112657.0110be20@infowest.com>
next in thread | raw e-mail | index | archive | help
Does this affect FreeBSD 2.1.7? Thanks, Aaron >Approved-By: aleph1@UNDERGROUND.ORG >Date: Sun, 16 Mar 1997 14:56:23 -0600 >Reply-To: Aleph One <aleph1@DFW.NET> >Sender: Bugtraq List <BUGTRAQ@netspace.org> >From: Aleph One <aleph1@DFW.NET> >Subject: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c >To: BUGTRAQ@netspace.org > >Path: >news.reference.com!arclight.uoregon.edu!su-news-hub1.bbnplanet.com!cam-n >ews-hub1.bbnplanet.com!news.bbnplanet.com!news.maxwell.syr.edu!newsfeed.nac amar >.de!news.space.net!news.camelot.de!gateway >From: kivinen@ssh.fi >Newsgroups: muc.lists.freebsd.bugs >Subject: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c >Date: 14 Mar 1997 04:08:32 +0100 >Organization: Mail2News Gateway at Camelot Online Services >Lines: 86 >Sender: news@camelot.de >Approved: news@camelot.de >Message-ID: <199703140243.EAA27893@taulu.ssh.fi> >Reply-To: kivinen@ssh.fi >NNTP-Posting-Host: lancelot.camelot.de >Mime-Version: 1.0 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 8bit >Xref: news.reference.com muc.lists.freebsd.bugs:967 > > > >>Number: 2983 >>Category: bin >>Synopsis: Security bug (buffer overflow) in lib/libterm/tgoto.c >>Confidential: no >>Severity: serious >>Priority: high >>Responsible: freebsd-bugs >>State: open >>Class: sw-bug >>Submitter-Id: current-users >>Arrival-Date: Thu Mar 13 18:50:01 PST 1997 >>Last-Modified: >>Originator: Tero Kivinen >>Organization: >SSH Communications Security >>Release: NetBSD 1.2, FreeBSD 2.1-STABLE >>Environment: > >System: NetBSD taulu.ssh.fi 1.2 NetBSD 1.2 (TAULU) #50: Mon Feb 24 >21:40:52 EET > 1997 kivinen@taulu.ssh.fi:/usr/src/sys/arch/i386/compile/TAULU i386 >System: FreeBSD pilari.ssh.fi 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #1: Thu >Oct 3 >1 23:58:19 EET 1996 root@lamppu.ssh.fi:/usr/src/sys/compile/SSHGEN >i386 > >>Description: > >The termcap libraries tgoto function has buffer overflow bug that can >be used to overwrite data in BSS segment. > >The tgoto have function have static char result[MAXRETURNSIZE] (64 >characters) buffer that is used to return cursor addressing string >from tgoto function. If the CM-cabability have more than 64 characters >in it the tgoto function will overwrite something in the bss segment >after result-variable. There are no checks about the length of cm >string nor checks if the resulting string is longer than MAXRETURNSIZE >characters. > >For example suid root system utility "systat" is vulnerable to this >bug. No known exploits of this exists yet, but someone might find >such. Also lots of systems have other suid root/kmem etc program >installed that are vulnerable to this bug. For example top and monitor >are such programs. > >Easiest way to demonstrate this is to change TERMCAP environment >variable and add some about 80 characters to cm-capablitie and then >start anything that uses curses or termcap directly (initscr in curses >library will call setterm that will call tgoto to test if we can move >cursor around...). > >The fix in netbsd current that changes the strcpy at the end of >tgoto-function to strncpy isn't sufficient, because the dp pointer >might already be way over the length of result buffer thus >"sizeof(result) - (dp - result) - 1" results to negative value. > >Notice that fix in netbsd-current also may return non null terminated >string, thus causing unexptected behavior later. > >>How-To-Repeat: > >~> TERMCAP='xterm|vs100|xterm terminal emulator (X11R6 Window System): > :am:km:mi:ms:xn:xo: :co#80:it#8:li#25: > :AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:DO=\E[%dB:IC=\E[%d@: > :LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:ae=^O:al=\E[L:as=^N: > >:bl=^G:cd=\E[J:ce=\E[K:cl=\E[H\E[2J:cm=\E[%i%d;%dHsakdjaskjdaslkjdlaksj >dlkjdslkjdakljdakljdlalkjasdlkjasdlkjasdlkaslkdaslkjdlksjadkljasdjklasdjkla sdlk >jaskld: > :cr=^M:cs=\E[%i%d;%dr:ct=\E[3k:dc=\E[P:dl=\E[M:do=^J: > :ei=\E[4l:ho=\E[H:ic=\E[@:im=\E[4h: > :is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;3;4;6l\E[4l: > :k1=\E[11~:k2=\E[12~:k3=\E[13~:k4=\E[14~:k5=\E[15~: > :k6=\E[17~:k7=\E[18~:k8=\E[19~:k9=\E[20~:kI=\E[2~: > :kN=\E[6~:kP=\E[5~:kb=^H:kd=\EOB:ke=\E[?1l\E>: > :kh=\E[@:kl=\EOD:kr=\EOC:ks=\E[?1h\E=:ku=\EOA:le=^H: > :md=\E[1m:me=\E[m:mr=\E[7m:nd=\E[C:rc=\E8:sc=\E7: > :se=\E[m:sf=^J:so=\E[7m:sr=\EM:ta=^I: :ue=\E[m:up=\E[A: > :us=\E[4m:' >~> export TERMCAP >~> systat >zsh: 27863 bus error systat >~> > >>Fix: > >Add check that result buffer isn't overflown. >-- >kivinen@iki.fi Work : +358-9-4354 3205 >Magnus Enckellin kuja 9 K 19, 02610, Espoo Home : +358-9-502 1573 >>Audit-Trail: >>Unformatted: > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.1.32.19970317112657.0110be20>