Overflows in Minicom

Summary
Description:The terminal emulation modem program minicom has a number of blatant overflows.
Author:Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
Compromise:group uucp on some Linux distros (such as RedHat), but if installed from source with default makefile then it allows root access (local)
Vulnerable Systems:Most Linux boxes ship with minicom. Version 1.81 and presumably earlier are vulnerable.
Date:9 May 1998
Details


Date: Sat, 9 May 1998 21:48:55 +0200
From: Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
To: BUGTRAQ@NETSPACE.ORG
Subject: Overflows in minicom

 I apologise if this is old, though i haven´t found any message on this
issue on bugtraq in the last few months.

 It seems minicom(distributed with slak3.4) have some overflow
vulnerabilities, namely in the '-p' switch and when you pick a config
file on the arguments. (a strcpy and a sprintf)

 you may test it with:
  $ minicom -p/dev/ttyp`perl -e ´print "A" x 2500´`
    (Some garbage)
    Segmentation fault

 An examination under gdb shows saved EIP=0x414141
 If this is new, I may post an exploit if prompted to.

-----------------------------------------------------------------------------
"There are awfull penalties for crimes against the gods"
                                        - Irish Murdoch
Tiago F. P. Rodrigues   (BlindPoet)
Universidade Lusiada ´98 - PORTUGAL
-----------------------------------------------------------------------------
Date: Mon, 11 May 1998 00:40:15 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Overflows in minicom

>  It seems minicom(distributed with slak3.4) have some overflow
> vulnerabilities, namely in the '-p' switch and when you pick a config
> file on the arguments. (a strcpy and a sprintf)
>
>  you may test it with:
>   $ minicom -p/dev/ttyp`perl -e =B4print "A" x 2500=B4`
>     (Some garbage)
>     Segmentation fault

That appears to be an understatment at least with minicom 1.81. I've just
been through doing the usual snprintfing etc. It has stuff like

        strcpy(buffer, getenv("TERM"))

in it.

Its also got a few I8N buffer overruns. This is something that seems to be
creeping into code as people update it. When you go from

        char buf[31];
        sprintf(buf,"Hello %.30s",x)

to

        char buf[31];
        sprintf(buf, _("Hello %.10s"), x)

you blow your protection since a user can set the NLSPATH and catalogs and
translate catalogs so that "Hello %.10s" becomes "%s"  opening up an
attack point.

Alan
Date: Mon, 11 May 1998 12:32:02 +0200
From: Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Overflows in minicom

On Sun, 10 May 1998, William Burrow wrote:

> On Sat, May 09, 1998 at 09:48:55PM +0200, Tiago F P Rodrigues wrote:
> >  It seems minicom(distributed with slak3.4) have some overflow
> > vulnerabilities, namely in the '-p' switch and when you pick a config
> > file on the arguments. (a strcpy and a sprintf)
> ...
> >  If this is new, I may post an exploit if prompted to.
>
> What kind of exploit will you be able to get?  Minicom is setgid uucp on
> my system, the worst you can do is upset UUCP operations, which don't happen
> here anyway, or possibly change the permissions on the dev file.  System
> is Slack 3.2.
>

 True enough, minicom is only sgid uucp in latest RedHat & Slakware
releases, though keep in mind if you rebuild minicom from source it will
install it setuid root by default.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault