exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ncurses-overflow.txt

ncurses-overflow.txt
Posted Oct 11, 2000
Authored by Jouko Pynnonen | Site klikki.fi

The ncurses library v4.2 and 5.0 contains exploitable buffer overflows which can be used to gain additional priveledge if there are SUID programs which use ncurses and the library implementation supports ~/.terminfo. Vulnerable programs found so far include Red Hat and SuSE cda, FreeBSD /usr/bin/systat, and OpenBSD /usr/bin/systat.

tags | exploit, overflow
systems | linux, redhat, freebsd, suse, openbsd
SHA-256 | cd14250aa0648fdf5f3d589e34c08c13e7c735b8731d2b965eb799837ca4e257

ncurses-overflow.txt

Change Mirror Download
OVERVIEW

The CRT screen handling library ncurses contains buffer overflows,
making programs using it vulnerable. If the programs are setuid or
setgid, a local user may elevate their privilege. The problem exists in
ncurses versions 4.2 and 5.0, probably earlier, and libocurses. The
overflows can be exploited if the library implementation supports
loading of user defined terminfo files from ~/.terminfo.

The problem has been tested and found on

* SuSE Linux 6.4, Red Hat Linux 6.1. A setuid program using ncurses
("cda" in the xmcd package) was successfully exploited to spawn a
root shell.

* FreeBSD, the program /usr/bin/systat is setgid and uses libncurses.
An exploit was made which gives a shell with egid=3Dkmem. The kmem
group has read access to /dev/kmem and memory of all processes via
/proc/<pid>/mem, and could be used to read e.g. crypted or
cleartext passwords, authorization keys, or any other info that
might be in programs' memory space.

* OpenBSD, having /usr/bin/systat setgid kmem too. No test exploit
was made, but the program segfaults when given an "evil" terminfo
file. Making a similar exploit is probably possible. This applies to
other BSD systems as well, but haven't been tested or confirmed.

All programs using ncurses aren't necessarily vulnerable, e.g. "screen"
is setuid root on some systems and uses ncurses, but it doesn't seem to
use the vulnerable functions at least directly (investigated on Red Hat
Linux, other systems may vary).

When using telnet to connect to a remote system, telnetd on some
platforms doesn't ignore TERMINFO_DIRS or TERMCAP environment variables
(e.g. OpenBSD). This means the problem could be remotely exploitable
under some conditions on some platforms. This hasn't been confirmed with
an exploit, however by setting TERMCAP the OpenBSD telnetd can be made
read any file as root. If the file is something like /dev/zero, the
telnetd process reads it infinitely until the system runs out of memory.



BUG DETAILS

The file ncurses/tty/lib_mvcur.c contains functions for moving around
the cursor. Some of the functions contain calls to strcpy() without
bound checking. The target of the strcpy's is a local fixed size buffer
in onscreen_mvcur():

static inline int
onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw)
/* onscreen move from (yold, xold) to (ynew, xnew) */
{
char use[OPT_SIZE], *sp;


=2E.. a few lines later:

sp =3D tparm(SP->_address_cursor, ynew, xnew);
if (sp)
{
tactic =3D 0;
(void) strcpy(use, sp);


The function tparm() returns a control string for screen manipulation,
originating from the terminfo file read according to the environment
variables TERM and TERMINFO_DIRS. Even though ncurses implementations
on some platforms reportedly ignore TERMINFO_DIRS while running
setuid/setgid, they check ~/.terminfo/ for the capability files in any
case.

OPT_SIZE seems to be defined as 512. tparm() can be made return a
string of arbitrary length containing arbitrary data, so exploitation is
usually quite trivial. There are a few of similar strcpy() calls in
other functions in the file. Many other ncurses functions may also call
the cursor moving functions (e.g. endwin()) so in order to be
vulnerable, a program needn't call mvcur().



SOLUTION

The authors of ncurses and OS vendors have been informed over a week
ago and they have, or will release fix packages shortly.



TEMPORARY WORKAROUND

A temporary solution is to remove the setuid/setgid bits of programs
using ncurses. To check if a program uses ncurses, type (on most
systems):

ldd /path/to/program

If libncurses or libocurses is mentioned in the library listing and the
program is setuid/setgid, then there's a possibility for it to be
exploited. If 'ldd' doesn't exist on the system (or the program is
statically linked) you can try something like

grep -li TERMINFO /path/to/program

If it outputs the file path, the program probably uses ncurses or
derivative.

To remove the setuid/setgid bits, issue the command:

chmod ug-s /path/to/file



CREDITS AND ACKNOWLEDGEMENTS

Vulnerability discovered by: Jouko Pynn=F6nen <jouko@solutions.fi>

Thanks and greets to: Emil Valsson (for providing a FreeBSD test box),
Esa Etel=E4vuori, ncurses people, cc-opers@IRCNet



--
Jouko Pynn=F6nen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.secmod.com

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    36 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close