COMMAND

    in.telnetd

SYSTEMS AFFECTED

    Slackware prior to 3.3 (others?)

PROBLEM

    MultiSynk found following.  This look's harmless, however it  does
    not look like it should be 'acceptable' Heres the info on the bug.
    If you your 'TERM' variable to anythig that the telnet server your
    telnetting to does _not_ have in the terminfo database, in.telnetd
    coredumps. (leaving a core in /).  This core file is dropped  with
    safe permissions so only root could read it, and there is  nothing
    that Iyou can see 'dangerous' left in it for anyone to read.

    The BSD/OS  exploit offered  in BSD  section (look  for in.telnet)
    looks  like  a  buffer  overrun  in  tgetent  (unrelated  to   the
    missing-unknown-type  bug  that  causes   the  core  dumps).    It
    shouldn't affect  any version  of telnetd  that is  linked against
    libcurses or  libncurses.   Any telnetd  linked against libtermcap
    is still vulnerable.

    Aaron  Campbell  added  following.   He  tried  setting  his  TERM
    variable:

        export TERM="../../../home/fx/mytermfile"

    (needed  to  move  three  parent  directories backward to the root
    directory since on this Slackware  box the database is located  in
    /usr/lib/terminfo.)

        [16:24:42] aaron@ug:~$ export TERM="../../../home/fx/mytermfile"
        [16:24:53] aaron@ug:~$ telnet XXX.XXX.XXX.XXX
        Trying XXX.XXX.XXX.XXX...
        Connected to somehost.com.
        Escape character is '^]'.
        Connection closed by foreign host.
        [16:25:21] aaron@ug:~$

    Examination of the /core file dumped by in.telnetd (strings  core)
    revealed this line:

        /usr/lib/terminfo/./../../../home/

    It  was  cut  off.  Notice  there  is  apparantly  enough room for
    ../../../tmp/x though.

        cp /usr/lib/terminfo/v/vt100 /tmp/x

    Set our TERM variable again: export TERM="../../../tmp/x"

        Trying XXX.XXX.XXX.XXX...
        Connected to somehost.com.
        Escape character is '^]'.

        Linux 2.0.32.

        login:

    It worked. This also works:

        cp /usr/lib/terminfo/v/vt100 /home/fx/vt100
        ln -s /home/fx/vt100 /tmp/x

    ...and using the same  TERM variable, in.telnetd will  acknowledge
    the copied /home/fx/vt100 terminfo file.  So the question is,  how
    dangerous could a user-supplied terminfo file be?

SOLUTION

    This does not appear to affect in.telnetd from some  distributions
    (slackware 3.3.,  3.4, RedHat  4.2).   Installing the terminfo.tgz
    package fixes the bug.   NetKit's documentation clearly  indicates
    this  problem  in  the  netkit-telnet-0.10/BUGS  file: "crashes in
    ncurses if the terminal type  is undefined, with some versions  of
    ncurses."