X-RDate: Wed, 09 Jan 1980 11:41:45 +0500 (SSK)
Date: Mon, 1 Dec 1997 22:29:21 -0400
From: Aaron Campbell <aaron@ug.cs.dal.ca>
To: BUGTRAQ@NETSPACE.ORG
Subject: More telnet Daemon Fun
Regarding user-supplied terminfo files...
|autopsy!user52810@AZRAEL.DWEEBS.NET| suggested this feature, as found
in the terminfo man page, might be malaciously used in a custom
terminfo file:
-np Number of pages of memory c100-4p
Possibile to crash a machine using this? Anyone?
Thanks to Jason Parsons <root@saffroncs.com> for pointing this one out:
[fx@somehost fx]$ export DISPLAY=""
[fx@somehost fx]$ telnet .
Trying 0.0.0.0...
Connected to ..
Escape character is '^]'.
Red Hat Linux release 4.2 (Biltmore)
Kernel 2.0.30 on an i586
login:
telnet> send esc
telnet> quit
Connection closed.
[fx@somehost fx]$ export DISPLAY="1234567890123456789012345678901234567890123
45678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345645678901234
56789012345678901234567890123456789012345678901234567890123456"
[fx@somehost fx]$ telnet .
Trying 0.0.0.0...
Connected to ..
Escape character is '^]'.
Segmentation fault (core dumped)
[fx@somehost fx]$ ls -l core
-rw------- 1 fx nnh 315392 Dec 1 21:51 core
[fx@somehost fx]$
That's 256 characters up there, BTW. Also, note we're setting the DISPLAY
variable this time, not TERM.
Lastly, while doing some testing, I discovered that setting my TERM
variable to a 256-character string under Solaris 2.5.1 caused my bash
shell session to crash, dump core and log me out. This may or may not have
been mentioned on Bugtraq before, and may or may not be due to missing
patches.
Pardon my vagueness, but I've been swamped lately and really don't have
much time to explore these problems in more detail.
. _ _ _ _ . . _ _ . . _ _ _ . .
: |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ Dalhousie University, Halifax, NS
`--------------------------------------------- [fx!aaron@ug.cs.dal.ca] ----
