Bugtraq mailing list archives
Buffer overflows in Minicom 1.80.1
From: edunavarro () USA NET (Eduardo Navarro)
Date: Sat, 29 Aug 1998 15:45:08 +0200
I have found some buffer overflows in Minicom 1.80.1 which comes setuid root with Slackware 3.5. I known that were discussed some overflows in other versions of minicom ( no setuid root) but i think it's "new" and more dangerous. At least, you can overflow the stack using $HOME and $TERM and using large strings with one of the following flags: -o, -m, -l, -z and -t because there are many strcpy and sprintf: ~/minicom/minicom-1.80/src$ grep strcpy * | wc -l 67 ~/minicom/minicom-1.80/src$ grep sprintf * | wc -l 40 If you look at sources, you can see: strcpy(termtype, getenv("TERM") ? getenv("TERM") : "dumb"); or case 't': /* Terminal type */ strcpy(termtype, optarg); or sprintf(pseudo, "/dev/%s", optarg); or sprintf(parfile, "%s/minirc.%s", LIBDIR, use_port); or /* Remember home directory and username. */ if ((s = getenv("HOME")) == CNULL) strcpy(homedir, pwd->pw_dir); else strcpy(homedir, s); strcpy(username, pwd->pw_name); /* Get personal parameter file */ sprintf(pparfile, "%s/.minirc.%s", homedir, use_port); ............................ and many more. EXPLOIT: Sorry, but I can't waste time writing the exploit because I have to study for my exams at university :(((((( IMPACT: root (local) PATCH: Update to version 1.81.1 or 1.82.beta* Greetings from Spain Edunavarro () usa net Type Bits/KeyID Date User ID pub 2048/F17C419D 1998/08/28 edunavarro () usa net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzXm1P4AAAEIAL3Dsr90YStDc+N/meNC3HDnBRVgikDeuogb8Jb/SwYngMPU nRdj7jLP80vwYyMPnUo326XLyh+UFxskGevUfnncOCSTtE48UxeyI/aeefhAEN9D Qgiv9DYCU4EDTR8SrqpAO0tNBr/C9i9jCPtKhHs55dt+lsd23G5MZJrWf/yi2edl HZnQ+LVE/rGO87O0LscqrAyRBYX/cf8P/n5hiINIX6jHSbpAfvlyu2P/viX/cTGk yuizaLHhNMYHzBphMgKuHY+1pCUuUfzOEDCItkhNySflwvjSA3bgJkjIKba54gOP Hlb//XhyfGLEN3l6DAWN6Fu1yAW5fSE3CfF8QZ0ABRG0EmVkdW5hdmFycm9AdXNh Lm5ldIkBFQMFEDXm1P59ITcJ8XxBnQEBcmcIAI+gp/OjJ42lEyz+VAyWuaOXHneJ kqH11zGwNdHxOWXJtu8bpIzbh6+M6i0aXZVFWOOdPQydNAYQ1OiMy8vbPSguw7F7 g7HRML3CkHsMInvVJcjsviA33YbGY3tIsRW+cwK0ME35xJC/jI1gfpj4r6Um6isO 4iOCTKme+/Jrjeb7TY0DbmwvPjRHdTTKe6RUupMayaR9qPjU9/sE4emyO9GNoYW9 0dZureHzwxxmyZKA8dWlKBTBqHU60STFjrAKEfwW3A/Y0uU9zAUFWHiJanMEKz+J 8o+VmqpPk9jU2RAdLHP5FesVQ3z/CnlrCBl8Xx02AfuFqVxAmoNvQfG+dRU= =uA/A -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- Webmail.bellsouth.net security problems, (continued)
- Webmail.bellsouth.net security problems Leonid S. Knyshov (Aug 25)
- Re: Webmail.bellsouth.net security problems Marc Slemko (Aug 25)
- Re: Webmail.bellsouth.net security problems Edward S. Marshall (Aug 25)
- Re: Webmail.bellsouth.net security problems Kragen (Aug 25)
- [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
- [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
- Re: Webmail.bellsouth.net security problems Joe (Aug 28)
- [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
- Update on Linux unfsd Olaf Kirch (Aug 29)
- Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
- Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
- Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
- Webmail.bellsouth.net security problems Leonid S. Knyshov (Aug 25)
- buffer overflow in nslookup? Peter van Dijk (Aug 29)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)