-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-97.131 -- SNI Security Advisory
in.telnetd tgetent buffer overflow
23 October 1997
Secure Networks Inc. has released the following advisory concerning a
vulnerability in the tgetent(3) library routine, which can result in a
buffer overflow in the telnet daemon on some BSD derived systems. This
vulnerability may allow local and remote users to obtain root access.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for SNI is included in the Security Bulletin below.
If you have any questions or need further information, please contact them
Previous advisories and external security bulletins can be retrieved from:
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
USCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
October 21, 1997
in.telnetd tgetent buffer overflow
This advisory addresses a vulnerability in the tgetent(3) library
routine which allows an attacker to obtain root privileges by connecting
to a vulnerable system's telnet daemon.
A vulnerability in the tgetent(3) library routine can result in a
buffer overflow in the telnet daemon on some BSD derived systems. By
uploading an alternate terminal capability database, an attacker
can exploit this vulnerability to gain unauthorized super-user access
to a vulnerable system, or to gain super-user access on a system
which they already have access to.
This problem can be exploited by mailing a file into the system, or
uploading a file via FTP. Once this file has been transferred to the
remote system, the attacker must only be able to connect to the telnet
daemon, to obtain super-user access.
The tgetent(3) library call requires the passing in of a buffer in
which the terminal entry is stored.
* Get an entry for terminal name in buffer bp from the termcap file.
char *bp, *name;
The tgetent(3) library call does no checking on the size of data which
is placed into the *bp buffer. Many programs pass in a buffer of size
1024 bytes. By creating a termcap terminal specification larger than
1024 bytes, we can overflow a buffer in the calling function. If this
buffer is stored on the stack in the calling function, we can cause
arbitrary machine code to be executed.
The BSD telnet daemon calls the tgetent(3) function as follows:
if (terminaltype == NULL)
if (tgetent(buf, s) == 0)
By specifying a terminal capability entry which is larger than 1024
bytes, an overflow occurs in the telnet daemon, allowing arbitrary
machine instructions to be executed.
Remote individuals can obtain super-user access to any vulnerable system.
This vulnerability can allow remote users to obtain super-user access on
vulnerable systems, and can allow local users to obtain super-user access.
Version 2.1 of BSD/OS is vulnerable
Version 3.0 of BSD/OS is NOT vulnerable
BSDI has issued a security fix which is currently in the testing
phases and will be availible at the following location:
Solaris 2.x is NOT vulnerable to this problem
AIX is NOT vulnerable to this problem
HP-UX is NOT vulnerable to this problem
The current versions of Linux which were tested include Slackware
and Redhat, which appear to be NOT vulnerable.
IRIX appears to be NOT vulnerable.
Current versions of NetBSD are not vulnerable.
Versions of FreeBSD newer than 2.1.5 are NOT vulnerable to this
problem. FreeBSD-current, FreeBSD 2.1.7 and FreeBSD 2.2.2 are NOT
Versions of OpenBSD newer than 2.0 are NOT vulnerable to this problem.
This problem was discovered by Theo de Raadt <email@example.com>
You can contact Secure Networks Inc. at <firstname.lastname@example.org> using
the following PGP key:
Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <email@example.com>
Secure Networks <firstname.lastname@example.org>
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
- - -----END PGP PUBLIC KEY BLOCK-----
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories
You can browse our web site at http://www.secnet.com
You can subscribe to our security advisory mailing list by sending mail to
email@example.com with the line "subscribe sni-advisories"
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----