i obtained the mingetty source for mingetty, version 0.9.4, from the
debian site:
http://packages.debian.org/stable/admin/mingetty.html
i did not apply any patches. i had a quick look at the code, gdb output
and strace output. i think i have isolated the problem, using a static
analysis tool i am developing, coupled to common sense and various
applications of vi. <smirk> note that both rats and flawfinder go wild on
this code. pretty impressive its gone 5 years since an even modest audit
by some ... looks like debian did something with the patch they have right
there ...
anyhow, here's the deal with the code:
main() reads the argument, typically a device name:
65 /* on which tty line are we sitting? (e.g. tty1) */
66 static char *tty;
[ snip ]
419 tty = argv[optind];
420 if (! tty)
421 usage ();
it then calls open_tty():
168 /* open_tty - set up tty as standard { input, output, error } */
169 static void open_tty (void)
170 {
171 struct sigaction sa;
172 char buf[20];
173 int fd;
174
175 /* Set up new standard input. */
176 strcpy (buf, "/dev/");
177 strcat (buf, tty);
178 if (chown (buf, 0, 0) || chmod (buf, 0600))
179 error ("%s: %s", buf, sys_errlist[errno]);
right there is the problem, in like 177. strcat .. good old strcat(). how
i love thee. you overflow buf (only 20 is allocated in line 172). you die
in sys_errlist:
#0 0x4005e537 in _sys_errlist ()
#1 0xbffffb24 in _sys_errlist ()
#2 0x6f4d6e75 in _sys_errlist ()
however, while this is a quality control issue, is this really a security
issue? is mingetty ever suid anything? i only see it non-suid on the
systems i have checked, and the makefile included in the dist doesn't
install it suid ... its installed in inittab tied to specific terminals,
as best i can tell ...
so .. is this really an issue? patch it and move on ... and while your at
it audit some damn code!
____________________________
jose nazario jose_at_cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Received on Dec 03 2001
Intro
