Overflows in Minicom
Description: | The terminal emulation modem program minicom has a number of blatant overflows. |
Author: | Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT> |
Compromise: | group uucp on some Linux distros (such as RedHat), but if installed from source with default makefile then it allows root access (local) |
Vulnerable Systems: | Most Linux boxes ship with minicom. Version 1.81 and presumably earlier are vulnerable. |
Date: | 9 May 1998 |
Date: Sat, 9 May 1998 21:48:55 +0200
From: Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
To: BUGTRAQ@NETSPACE.ORG
Subject: Overflows in minicom
I apologise if this is old, though i haven´t found any message on this
issue on bugtraq in the last few months.
It seems minicom(distributed with slak3.4) have some overflow
vulnerabilities, namely in the '-p' switch and when you pick a config
file on the arguments. (a strcpy and a sprintf)
you may test it with:
$ minicom -p/dev/ttyp`perl -e ´print "A" x 2500´`
(Some garbage)
Segmentation fault
An examination under gdb shows saved EIP=0x414141
If this is new, I may post an exploit if prompted to.
-----------------------------------------------------------------------------
"There are awfull penalties for crimes against the gods"
- Irish Murdoch
Tiago F. P. Rodrigues (BlindPoet)
Universidade Lusiada ´98 - PORTUGAL
-----------------------------------------------------------------------------
Date: Mon, 11 May 1998 00:40:15 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Overflows in minicom
> It seems minicom(distributed with slak3.4) have some overflow
> vulnerabilities, namely in the '-p' switch and when you pick a config
> file on the arguments. (a strcpy and a sprintf)
>
> you may test it with:
> $ minicom -p/dev/ttyp`perl -e =B4print "A" x 2500=B4`
> (Some garbage)
> Segmentation fault
That appears to be an understatment at least with minicom 1.81. I've just
been through doing the usual snprintfing etc. It has stuff like
strcpy(buffer, getenv("TERM"))
in it.
Its also got a few I8N buffer overruns. This is something that seems to be
creeping into code as people update it. When you go from
char buf[31];
sprintf(buf,"Hello %.30s",x)
to
char buf[31];
sprintf(buf, _("Hello %.10s"), x)
you blow your protection since a user can set the NLSPATH and catalogs and
translate catalogs so that "Hello %.10s" becomes "%s" opening up an
attack point.
Alan
Date: Mon, 11 May 1998 12:32:02 +0200
From: Tiago F P Rodrigues <11108496@LIS.ULUSIADA.PT>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Overflows in minicom
On Sun, 10 May 1998, William Burrow wrote:
> On Sat, May 09, 1998 at 09:48:55PM +0200, Tiago F P Rodrigues wrote:
> > It seems minicom(distributed with slak3.4) have some overflow
> > vulnerabilities, namely in the '-p' switch and when you pick a config
> > file on the arguments. (a strcpy and a sprintf)
> ...
> > If this is new, I may post an exploit if prompted to.
>
> What kind of exploit will you be able to get? Minicom is setgid uucp on
> my system, the worst you can do is upset UUCP operations, which don't happen
> here anyway, or possibly change the permissions on the dev file. System
> is Slack 3.2.
>
True enough, minicom is only sgid uucp in latest RedHat & Slakware
releases, though keep in mind if you rebuild minicom from source it will
install it setuid root by default.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: