Date: Sat, 29 Aug 1998 15:45:08 +0200
From: Eduardo Navarro <[email protected]>
To: [email protected]Subject: Buffer overflows in Minicom 1.80.1
I have found some buffer overflows in Minicom 1.80.1 which comes setuid
root with Slackware 3.5. I known that were discussed some overflows in
other versions of minicom ( no setuid root) but i think it's "new" and
more dangerous.
At least, you can overflow the stack using $HOME and $TERM and using
large strings with one of the following
flags: -o, -m, -l, -z and -t because there are many strcpy and sprintf:
~/minicom/minicom-1.80/src$ grep strcpy * | wc -l
67
~/minicom/minicom-1.80/src$ grep sprintf * | wc -l
40
If you look at sources, you can see:
strcpy(termtype, getenv("TERM") ? getenv("TERM") : "dumb");
or
case 't': /* Terminal type */
strcpy(termtype, optarg);
or
sprintf(pseudo, "/dev/%s", optarg);
or
sprintf(parfile, "%s/minirc.%s", LIBDIR, use_port);
or
/* Remember home directory and username. */
if ((s = getenv("HOME")) == CNULL)
strcpy(homedir, pwd->pw_dir);
else
strcpy(homedir, s);
strcpy(username, pwd->pw_name);
/* Get personal parameter file */
sprintf(pparfile, "%s/.minirc.%s", homedir, use_port);
............................ and many more.
EXPLOIT: Sorry, but I can't waste time writing the exploit because I
have to study for my exams at university :((((((
IMPACT: root (local)
PATCH: Update to version 1.81.1 or 1.82.beta*
Greetings from Spain
[email protected]
Type Bits/KeyID Date User ID
pub 2048/F17C419D 1998/08/28 [email protected]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzXm1P4AAAEIAL3Dsr90YStDc+N/meNC3HDnBRVgikDeuogb8Jb/SwYngMPU
nRdj7jLP80vwYyMPnUo326XLyh+UFxskGevUfnncOCSTtE48UxeyI/aeefhAEN9D
Qgiv9DYCU4EDTR8SrqpAO0tNBr/C9i9jCPtKhHs55dt+lsd23G5MZJrWf/yi2edl
HZnQ+LVE/rGO87O0LscqrAyRBYX/cf8P/n5hiINIX6jHSbpAfvlyu2P/viX/cTGk
yuizaLHhNMYHzBphMgKuHY+1pCUuUfzOEDCItkhNySflwvjSA3bgJkjIKba54gOP
Hlb//XhyfGLEN3l6DAWN6Fu1yAW5fSE3CfF8QZ0ABRG0EmVkdW5hdmFycm9AdXNh
Lm5ldIkBFQMFEDXm1P59ITcJ8XxBnQEBcmcIAI+gp/OjJ42lEyz+VAyWuaOXHneJ
kqH11zGwNdHxOWXJtu8bpIzbh6+M6i0aXZVFWOOdPQydNAYQ1OiMy8vbPSguw7F7
g7HRML3CkHsMInvVJcjsviA33YbGY3tIsRW+cwK0ME35xJC/jI1gfpj4r6Um6isO
4iOCTKme+/Jrjeb7TY0DbmwvPjRHdTTKe6RUupMayaR9qPjU9/sE4emyO9GNoYW9
0dZureHzwxxmyZKA8dWlKBTBqHU60STFjrAKEfwW3A/Y0uU9zAUFWHiJanMEKz+J
8o+VmqpPk9jU2RAdLHP5FesVQ3z/CnlrCBl8Xx02AfuFqVxAmoNvQfG+dRU=
=uA/A
-----END PGP PUBLIC KEY BLOCK-----