Re: SNI-20: Telnetd tgetent vulnerability

Theo de Raadt (deraadt@CVS.OPENBSD.ORG)
Tue, 21 Oct 1997 19:58:42 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jason R Mastaler: "Re: remotely kill solaris syslogd"
Previous message: Secure Networks Inc.: "SNI-20: Telnetd tgetent vulnerability"
Maybe in reply to: Secure Networks Inc.: "SNI-20: Telnetd tgetent vulnerability"
Next in thread: Aleph One: "Re: SNI-20: Telnetd tgetent vulnerability"

> A vulnerability in the tgetent(3) library routine can result in a
> buffer overflow in the telnet daemon on some BSD derived systems.

This same problem appears to be exploitable as a localhost attack
against the program xterm. This is setuid root on a lot of systems,
and if tgetent(3) has the overflow problems, the same problem can be
exploited there.

On BSD systems, it is likely this could also have been exploited in
systat(8) to gain gid kmem permissions.

I've not confirmed these probelms... I don't write shell code, I just
fix the bugs ;-)

Next message: Jason R Mastaler: "Re: remotely kill solaris syslogd"
Previous message: Secure Networks Inc.: "SNI-20: Telnetd tgetent vulnerability"
Maybe in reply to: Secure Networks Inc.: "SNI-20: Telnetd tgetent vulnerability"
Next in thread: Aleph One: "Re: SNI-20: Telnetd tgetent vulnerability"