[16387] in bugtraq
Re: RH 6.1 / 6.2 minicom vulnerability
daemon@ATHENA.MIT.EDU (Dpk)
Fri Aug 25 14:38:09 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000823182318.N2439@egr.msu.edu>
Date: Wed, 23 Aug 2000 18:23:18 -0400
Reply-To: Dpk <dpk@EGR.MSU.EDU>
From: Dpk <dpk@EGR.MSU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0008191142460.7020-100000@dione.ids.pl>
On Sat, Aug 19, 2000 at 11:43:59AM +0200, Michal Zalewski wrote:
On RedHat 6.1 and RedHat 6.2 boxes (I haven't found other
distributions vulnerable):
@(#)Minicom V1.83.0 (compiled Mar 7 2000)(c) Miquel van Smoorenburg
[lcamtuf@nimue lcamtuf]$ minicom -C foo
minicom: there is no global configuration file /etc/minirc.dfl
Ask your sysadm to create one (with minicom -s).
[lcamtuf@nimue lcamtuf]$ ls -l foo
-rw-rw-r-- 1 lcamtuf uucp 0 Aug 18 12:21 foo
^^ ^^^^
Any file can be created anywhere with uucp privledges - it will
follow symlinks. Not nice on systems running uucp services.
[snip]
To round out the distribution status...
Debian/GNU Linux does not install minicom set[ug]id, and is not
vulnerable... verified on 2.1 (slink), 2.2 (potato), and "woody".
Dpk
