5574530 2000-10-10  18:17  /60 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13191>
Kommentar till text 5570341 av Brevbäraren (som är implementerad i) Python
Ärende: Re: ncurses buffer overflows
------------------------------------------------------------
From: "Harrington, Perry" <pedward@WEBCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200010100022.RAA16024@eris>

This brings up an interesting piece of history.  When the whole
LD_PRELOAD haX0ring came about, people jumped on the wagon and fixed
the ld library.

However, this same trick can be used by a SA to plug potential
security holes:

libary: ncurses_fix.c

	tparm(....)

		char	*buffer;

		buffer = __tparm(....);

		if (strlen(buffer) > OPT_SIZE) {
			ack choke, exit proggie and log to syslog, email SA
		}

		return buffer;

	}

This is just a generic piece of code, but it can apply to any
unchecked parameter problem.

I would consider using this method on proprietary OSes that don't
respond quickly to potential threats.

So anyhow, compile into an SO (gcc -shared) and edit your preload file
in /etc.

--Perry

> static inline int
> onscreen_mvcur(int yold,int xold,int ynew,int xnew, bool ovw)
> /* onscreen move from (yold, xold) to (ynew, xnew) */
> {
>     char        use[OPT_SIZE], *sp;
>
>
> =2E.. a few lines later:
>
>     sp =3D tparm(SP->_address_cursor, ynew, xnew);
>     if (sp)
>     {
>         tactic =3D 0;
>         (void) strcpy(use, sp);
>
>
> OPT_SIZE seems to be defined as 512. tparm() can be made return a

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry@webcom.com             System Architecture               Think Blue.  /\
(5574530) ------------------------------------------(Ombruten)