Re: Exploit for Linux wu.ftpd hole

[medulla () infosoc com (Mike Edulla)]

On Wed, 5 Jul 1995, Larry Kruper wrote:

> Date: Wed, 5 Jul 1995 19:40:51 -0700
> From: Larry Kruper <lak () home crimelab com>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM>
> Subject: Re: Exploit for Linux wu.ftpd hole
>
> > On Wed, 5 Jul 1995, Henri Karrenbeld wrote:
> >
> > > Date: Wed, 5 Jul 1995 18:44:17 +0100
> > > From: Henri Karrenbeld <H.Karrenbeld () ct utwente nl>
> > > To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM>
> > > Subject: Exploit for Linux wu.ftpd hole
> > minicom has a known, but not very well-known hole in it that is nearly
> > identical to the wu-ftp hole. If you are a legitimate user of a pre 1.71
> > version of minicom, you can get root, its the same sort of thing,
> > seteuid(0), and then make a suid root shell somewhere - you do it by
> > changing the name of 'runscript' to your shell...
> >
> > It wouldnt really be much of a problem, except that linux to this day (i
> > believe) continues to have the users gonzo, satan, and snake in
> > minicom.users (or the slackware release does, at the very least).
> > ---
>
> So, how is this bug exploited if gonzo, satan or snake are not in /etc/passwd ?
> With the minicom F - username (i.e. satan) I do not get an error for not
> being in the minicom.users file, but J does not jump to a shell. How is this
> done ?
>
> I am doing this on my own system, not someone elses.

Indeed, this offers some protection - it's nonetheless a serious bug.
Anyone who has, or can get access to minicom via minicom.users can get root.

Also, under the default config on 1.70, {metakey}J doesnt jump to a
shell, it suspends the program.

Thats why the intruder must edit the apth to runscript instead (runscript
is the script interpreter, and its path can be edited in the
configuration area).