Re: in.telnetd bug (linux)

aaronug.cs.dal.ca

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: John Brahy: "Re: in.telnetd bug (linux)"
• Previous message: Ian R. Justman: "Re: in.telnetd bug (linux)"
• In reply to: kgb: "in.telnetd bug (linux)"
• Next in thread: Szekely-Benczedi Endre: "Re: in.telnetd bug (linux)"

This post made me a little curious so I did some investigating.

I tried setting my TERM variable: export TERM="../../../home/fx/mytermfile"

(I needed to move three parent directories backward to the root directory
since on my Slackware box the database is located in /usr/lib/terminfo.)

[16:24:42] aaronug:~$ export TERM="../../../home/fx/mytermfile"
[16:24:53] aaronug:~$ telnet XXX.XXX.XXX.XXX
Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.
Connection closed by foreign host.
[16:25:21] aaronug:~$

Examination of the /core file dumped by in.telnetd (strings core) revealed
this line:

/usr/lib/terminfo/./../../../home/

It was cut off. Notice there is apparantly enough room for ../../../tmp/x
though.

cp /usr/lib/terminfo/v/vt100 /tmp/x

Set our TERM variable again: export TERM="../../../tmp/x"

Trying XXX.XXX.XXX.XXX...
Connected to somehost.com.
Escape character is '^]'.

Linux 2.0.32.

login:

It worked. This also works:

cp /usr/lib/terminfo/v/vt100 /home/fx/vt100
ln -s /home/fx/vt100 /tmp/x

...and using the same TERM variable, in.telnetd will acknowledge the
copied /home/fx/vt100 terminfo file.

So the question is, how dangerous could a user-supplied terminfo file be?

  .  _  _  _ _ . .   _ _ .  . _  _  _ . .
 :  |-||-||<|_||\|  |_|-||\/||-'|->|_-|_|_  Dalhousie University, Halifax, NS
  `----------------------------------------------[fx!aaronug.cs.dal.ca]-----

• Next message: John Brahy: "Re: in.telnetd bug (linux)"
• Previous message: Ian R. Justman: "Re: in.telnetd bug (linux)"
• In reply to: kgb: "in.telnetd bug (linux)"
• Next in thread: Szekely-Benczedi Endre: "Re: in.telnetd bug (linux)"