Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [linux-security] Minicom 1.75 Vulnerability
From: miquels () CISTRON NL (Miquel van Smoorenburg)
Date: Mon, 10 Feb 1997 19:27:50 +0100

According to John Henders:
On Feb 10, jason () redline ru (Dmitry E. Kim) wrote:

  well, here is another standard buffer overrun vulnerability, which may
sometimes lead to root compromise (not always. not in new distributions,
fortunately). Current Slackware and current RedHat don't install minicom
suid root, only sgid/uucp, which is not *that* dangerous. But when you
build minicom from source, it asks you to do "chmod +s" on it.

    Vulnerability in minicom allows (certain) local users to obtain group
  "uucp" privileges and, in certain cases, root privileges.

Unless it's changed recently, minicom also requires you to be in a
minicom.users file to use it at all, which alleviates the risk somewhat.
The idea of allowing public users of a system unrestricted access to a
dialout port is pretty scarey on it's own, so I would hope anyone using
minicom would be pretty careful about who was in that file.

Yes, but you can overrun some buffers using command line options that get
processed before the minicom.users file. Auch! Furthermore the minicom.users
file isn't checked if minicom is installed setgid instead of setuid.

I know this would happen sometime.. minicom is, like sendmail, too big
to be secure. And it has been written over the years, much of the code
disgusts me know even though I wrote it myself.

I'm working on a fix where minicom will not be setuid at all anymore but
where it will call a helper program to lock the device and chown() it
to the user (if (s)he is in the access file ofcourse).

Note that the minicom from Debian distribution is NOT vulnerable because
it's not setuid or setgid at all. It just requires the user to be in
the "dialout" group, which is the best silution IMO since it also works
for all other communication programs and has no security risks at all.

I'm not designing any program bigger then one or twohundred lines to
run setuid ever again. Little setuid helper programs are much better.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]