[2008] in bugtraq
Re: Exploit for Linux wu.ftpd hole
daemon@ATHENA.MIT.EDU (Mike Edulla)
Sat Jul 8 19:29:15 1995
Date: Sat, 8 Jul 1995 14:19:31 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Mike Edulla <medulla@infosoc.com>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199507060222.UAA07273@crimelab.com>
On Wed, 5 Jul 1995, Larry Kruper wrote:
> Date: Wed, 5 Jul 1995 19:40:51 -0700
> From: Larry Kruper <lak@home.crimelab.com>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
> Subject: Re: Exploit for Linux wu.ftpd hole
>
> > On Wed, 5 Jul 1995, Henri Karrenbeld wrote:
> >
> > > Date: Wed, 5 Jul 1995 18:44:17 +0100
> > > From: Henri Karrenbeld <H.Karrenbeld@ct.utwente.nl>
> > > To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
> > > Subject: Exploit for Linux wu.ftpd hole
> > >
> > minicom has a known, but not very well-known hole in it that is nearly
> > identical to the wu-ftp hole. If you are a legitimate user of a pre 1.71
> > version of minicom, you can get root, its the same sort of thing,
> > seteuid(0), and then make a suid root shell somewhere - you do it by
> > changing the name of 'runscript' to your shell...
> >
> > It wouldnt really be much of a problem, except that linux to this day (i
> > believe) continues to have the users gonzo, satan, and snake in
> > minicom.users (or the slackware release does, at the very least).
> > ---
>
> So, how is this bug exploited if gonzo, satan or snake are not in /etc/passwd ?
> With the minicom F - username (i.e. satan) I do not get an error for not
> being in the minicom.users file, but J does not jump to a shell. How is this
> done ?
>
> I am doing this on my own system, not someone elses.
>
Indeed, this offers some protection - it's nonetheless a serious bug.
Anyone who has, or can get access to minicom via minicom.users can get root.
Also, under the default config on 1.70, {metakey}J doesnt jump to a
shell, it suspends the program.
Thats why the intruder must edit the apth to runscript instead (runscript
is the script interpreter, and its path can be edited in the
configuration area).
