I tried setting my TERM variable: export TERM="../../../home/fx/mytermfile"
(I needed to move three parent directories backward to the root directory
since on my Slackware box the database is located in /usr/lib/terminfo.)
[16:24:42] aaron@ug:~$ export TERM="../../../home/fx/mytermfile"
[16:24:53] aaron@ug:~$ telnet XXX.XXX.XXX.XXX
Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.
Connection closed by foreign host.
[16:25:21] aaron@ug:~$
Examination of the /core file dumped by in.telnetd (strings core) revealed
this line:
/usr/lib/terminfo/./../../../home/
It was cut off. Notice there is apparantly enough room for ../../../tmp/x
though.
cp /usr/lib/terminfo/v/vt100 /tmp/x
Set our TERM variable again: export TERM="../../../tmp/x"
Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.
Linux 2.0.32.
login:
It worked. This also works:
cp /usr/lib/terminfo/v/vt100 /home/fx/vt100
ln -s /home/fx/vt100 /tmp/x
...and using the same TERM variable, in.telnetd will acknowledge the
copied /home/fx/vt100 terminfo file.
So the question is, how dangerous could a user-supplied terminfo file be?
. _ _ _ _ . . _ _ . . _ _ _ . .
: |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ Dalhousie University, Halifax, NS
`----------------------------------------------[fx!aaron@ug.cs.dal.ca]-----