Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

analysis of mingetty error (version 0.9.4)

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Mon, 3 Dec 2001 15:25:10 -0500 (EST)
i obtained the mingetty source for mingetty, version 0.9.4, from the
debian site:

        http://packages.debian.org/stable/admin/mingetty.html

i did not apply any patches. i had a quick look at the code, gdb output
and strace output. i think i have isolated the problem, using a static
analysis tool i am developing, coupled to common sense and various
applications of vi. <smirk> note that both rats and flawfinder go wild on
this code. pretty impressive its gone 5 years since an even modest audit
by some ... looks like debian did something with the patch they have right
there ...

anyhow, here's the deal with the code:

main() reads the argument, typically a device name:

     65 /* on which tty line are we sitting? (e.g. tty1) */
     66 static char *tty;
                [ snip ]
    419         tty = argv[optind];
    420         if (! tty)
    421                 usage ();


it then calls open_tty():

    168 /* open_tty - set up tty as standard { input, output, error } */
    169 static void open_tty (void)
    170 {
    171         struct sigaction sa;
    172         char buf[20];
    173         int fd;
    174
    175         /* Set up new standard input. */
    176         strcpy (buf, "/dev/");
    177         strcat (buf, tty);
    178         if (chown (buf, 0, 0) || chmod (buf, 0600))
    179                 error ("%s: %s", buf, sys_errlist[errno]);


right there is the problem, in like 177. strcat .. good old strcat(). how
i love thee. you overflow buf (only 20 is allocated in line 172). you die
in sys_errlist:

#0  0x4005e537 in _sys_errlist ()
#1  0xbffffb24 in _sys_errlist ()
#2  0x6f4d6e75 in _sys_errlist ()

however, while this is a quality control issue, is this really a security
issue? is mingetty ever suid anything? i only see it non-suid on the
systems i have checked, and the makefile included in the dist doesn't
install it suid ... its installed in inittab tied to specific terminals,
as best i can tell ...

so .. is this really an issue? patch it and move on ... and while your at
it audit some damn code!

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Previous By Date Next
Previous By Thread Next

Current thread: