ncurses TERMCAP Buffer Overflow Vulnerability
BID:1142
Info
ncurses TERMCAP Buffer Overflow Vulnerability
| Bugtraq ID: | 1142 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2000-0963 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 23 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Posted to Bugtraq by Przemyslaw Frasunek <[email protected]> on April 23, 2000. |
| Vulnerable: |
Wirex Immunix OS 7.0 -Beta Wirex Immunix OS 6.2 Redhat ncurses-devel-5.0-11.i386.rpm Redhat ncurses-5.1-2.i386.rpm Redhat ncurses-5.0-11.i386.rpm Redhat Linux 7.0 Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha FreeBSD FreeBSD 4.1.1 -STABLE FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.5.1 FreeBSD FreeBSD 3.4 |
| Not Vulnerable: |
NetBSD NetBSD 1.4.2 FreeBSD FreeBSD 5.0 |
Discussion
ncurses TERMCAP Buffer Overflow Vulnerability
The port of ncurses (a high-level terminal manipulation library) for FreeBSD (and quite likely other operating systems) included in earlier releases is vulnerable to a buffer overflow attack. If the TERMCAP environment variable contains more data than the maximum amount predefined in the library source, unchecked operations on it can result in the stack being overrun. The result is that any setuid programs linked to ncurses can be exploited via this vulnerability. Version 1.8.6 of ncurses (which shipped with FreeBSD 3.4-RELEASE is known to be vulnerable.
It has been confirmed that NetBSD is not vulnerable.
The port of ncurses (a high-level terminal manipulation library) for FreeBSD (and quite likely other operating systems) included in earlier releases is vulnerable to a buffer overflow attack. If the TERMCAP environment variable contains more data than the maximum amount predefined in the library source, unchecked operations on it can result in the stack being overrun. The result is that any setuid programs linked to ncurses can be exploited via this vulnerability. Version 1.8.6 of ncurses (which shipped with FreeBSD 3.4-RELEASE is known to be vulnerable.
It has been confirmed that NetBSD is not vulnerable.
Exploit / POC
ncurses TERMCAP Buffer Overflow Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
ncurses TERMCAP Buffer Overflow Vulnerability
Solution:
RedHat has released patches to fix this vulnerability.
FreeBSD has provided an ncurses upgrade but advises that users do the following to make sure they are vulnerable before upgrading:
1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
e.g. with the fetch(1) command:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
Receiving scan_ncurses.sh (381 bytes): 100%
381 bytes transferred in 0.1 seconds (7.03 kBps)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
Receiving test_ncurses.sh (604 bytes): 100%
604 bytes transferred in 0.1 seconds (6.55 kBps)
2) Verify the md5 checksums and compare to the value below:
# md5 scan_ncurses.sh
MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1
# md5 test_ncurses.sh
MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e
3) Run the scan_ncurses.sh script against your system:
# chmod a+x ./test_ncurses.sh
# sh scan_ncurses.sh ./test_ncurses.sh /
Caldera:
The proper solution is to upgrade to the fixed packages.
OpenLinux Desktop 2.3
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
Redhat ncurses-5.0-11.i386.rpm
Redhat ncurses-devel-5.0-11.i386.rpm
Redhat ncurses-5.1-2.i386.rpm
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1
Wirex Immunix OS 6.2
Redhat Linux 6.2 sparc
Redhat Linux 6.2 alpha
Redhat Linux 6.2 i386
Redhat Linux 7.0
Wirex Immunix OS 7.0 -Beta
Solution:
RedHat has released patches to fix this vulnerability.
FreeBSD has provided an ncurses upgrade but advises that users do the following to make sure they are vulnerable before upgrading:
1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
e.g. with the fetch(1) command:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
Receiving scan_ncurses.sh (381 bytes): 100%
381 bytes transferred in 0.1 seconds (7.03 kBps)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
Receiving test_ncurses.sh (604 bytes): 100%
604 bytes transferred in 0.1 seconds (6.55 kBps)
2) Verify the md5 checksums and compare to the value below:
# md5 scan_ncurses.sh
MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1
# md5 test_ncurses.sh
MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e
3) Run the scan_ncurses.sh script against your system:
# chmod a+x ./test_ncurses.sh
# sh scan_ncurses.sh ./test_ncurses.sh /
Caldera:
The proper solution is to upgrade to the fixed packages.
OpenLinux Desktop 2.3
Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
Redhat ncurses-5.0-11.i386.rpm
-
Red Hat Inc. 6.2 i386 ncurses-5.0-12.i386.rpm
ftp://updates.redhat.com/6.2/i386/ncurses-5.0-12.i386.rpm
Redhat ncurses-devel-5.0-11.i386.rpm
-
Red Hat Inc. 6.2 i386 ncurses-devel-5.0-12.i386.rpm
ftp://updates.redhat.com/6.2/i386/ncurses-devel-5.0-12.i386.rpm
Redhat ncurses-5.1-2.i386.rpm
-
Red Hat Inc. 7.0 i386 ncurses-5.2-2.i386.rpm
ftp://updates.redhat.com/7.0/i386/ncurses-5.2-2.i386.rpm
FreeBSD FreeBSD 3.5.1
-
FreeBSD ncurses.tar.gz
Execute the following commands:cd /usr/srctar xvfz /path/to/ncurses.tar.gzcd /usr/src/lib/libncursesmake allmake install
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
FreeBSD FreeBSD 4.0
-
FreeBSD ncurses.tar.gz
Execute the following commands:cd /usr/srctar xvfz /path/to/ncurses.tar.gzcd /usr/src/lib/libncursesmake allmake install
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
FreeBSD FreeBSD 4.1
-
FreeBSD ncurses.tar.gz
Execute the following commands:cd /usr/srctar xvfz /path/to/ncurses.tar.gzcd /usr/src/lib/libncursesmake allmake install
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
FreeBSD FreeBSD 4.1.1 -STABLE
-
FreeBSD ncurses.tar.gz
Execute the following commands:cd /usr/srctar xvfz /path/to/ncurses.tar.gzcd /usr/src/lib/libncursesmake allmake install
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
FreeBSD FreeBSD 4.1.1
-
FreeBSD ncurses.tar.gz
Execute the following commands:cd /usr/srctar xvfz /path/to/ncurses.tar.gzcd /usr/src/lib/libncursesmake allmake install
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
Wirex Immunix OS 6.2
-
Wirex Immunix 6.2 ncurses-5.0-12
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/ncurses-5.0-12_Stack Guard.i386.rpm -
Wirex Immunix 6.2 ncurses-devel-5.0-12
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/ncurses-devel-5.0-12 _StackGuard.i386.rpm
Redhat Linux 6.2 sparc
-
Red Hat Inc. 6.2 sparc ncurses-5.0-12.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/ncurses-5.0-12.sparc.rpm -
Red Hat Inc. 6.2 sparc ncurses-devel-5.0-12.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/ncurses-devel-5.0-12.sparc.rpm
Redhat Linux 6.2 alpha
-
Red Hat Inc. 6.2 alpha ncurses-5.0-12.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/ncurses-5.0-12.alpha.rpm -
Red Hat Inc. 6.2 alpha ncurses-devel-5.0-12.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/ncurses-devel-5.0-12.alpha.rpm
Redhat Linux 6.2 i386
-
Red Hat Inc. 6.2 i386 ncurses-5.0-12.i386.rpm
ftp://updates.redhat.com/6.2/i386/ncurses-5.0-12.i386.rpm -
Red Hat Inc. 6.2 i386 ncurses-devel-5.0-12.i386.rpm
ftp://updates.redhat.com/6.2/i386/ncurses-devel-5.0-12.i386.rpm
Redhat Linux 7.0
-
Red Hat Inc. 7.0 alpha ncurses-5.2-2.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/ncurses-5.2-2.alpha.rpm -
Red Hat Inc. 7.0 alpha ncurses-devel-5.2-2.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/ncurses-devel-5.2-2.alpha.rpm -
Red Hat Inc. 7.0 i386 ncurses-5.2-2.i386.rpm
ftp://updates.redhat.com/7.0/i386/ncurses-5.2-2.i386.rpm -
Red Hat Inc. 7.0 i386 ncurses-devel-5.2-2.i386.rpm
ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm
Wirex Immunix OS 7.0 -Beta
-
Wirex Immunix 7.0-Beta ncurses-5.2-2
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/ncurses-5.2-2_S tackGuard.i386.rpm -
Wirex Immunix 7.0-Beta ncurses-devel-5.2-2
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/ncurses-devel-5 .2-2_StackGuard.i386.rpm