Buffer overflows in Minicom 1.80.1

From: Eduardo Navarro (edunavarroat_private)
Date: Sat Aug 29 1998 - 06:45:08 PDT

  • Next message: Peter van Dijk: "buffer overflow in nslookup?" 

    I have found some buffer overflows in Minicom 1.80.1 which comes setuid
root with Slackware 3.5.  I known that were discussed some overflows in
other versions of minicom ( no setuid root) but i think it's "new" and
more dangerous.

At least, you can overflow the stack using $HOME and $TERM and using
large strings with one of the following
flags: -o, -m, -l, -z and -t because there are many strcpy and sprintf:

~/minicom/minicom-1.80/src$ grep strcpy * | wc -l
67
~/minicom/minicom-1.80/src$ grep sprintf * | wc -l
40

If you look at sources, you can see:

  strcpy(termtype, getenv("TERM") ? getenv("TERM") : "dumb");

or
                case 't': /* Terminal type */
                        strcpy(termtype, optarg);

or
                       sprintf(pseudo, "/dev/%s", optarg);

or

  sprintf(parfile, "%s/minirc.%s", LIBDIR, use_port);

or

  /* Remember home directory and username. */
  if ((s = getenv("HOME")) == CNULL)
        strcpy(homedir, pwd->pw_dir);
  else
        strcpy(homedir, s);
  strcpy(username, pwd->pw_name);

  /* Get personal parameter file */
  sprintf(pparfile, "%s/.minirc.%s", homedir, use_port);

 ............................ and many more.


EXPLOIT: Sorry, but I can't waste time writing the exploit because I
have to study for my exams at university :((((((

IMPACT: root (local)

PATCH: Update to version 1.81.1 or 1.82.beta*


Greetings from Spain
Edunavarroat_private


Type Bits/KeyID    Date       User ID
pub  2048/F17C419D 1998/08/28 edunavarroat_private

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzXm1P4AAAEIAL3Dsr90YStDc+N/meNC3HDnBRVgikDeuogb8Jb/SwYngMPU
nRdj7jLP80vwYyMPnUo326XLyh+UFxskGevUfnncOCSTtE48UxeyI/aeefhAEN9D
Qgiv9DYCU4EDTR8SrqpAO0tNBr/C9i9jCPtKhHs55dt+lsd23G5MZJrWf/yi2edl
HZnQ+LVE/rGO87O0LscqrAyRBYX/cf8P/n5hiINIX6jHSbpAfvlyu2P/viX/cTGk
yuizaLHhNMYHzBphMgKuHY+1pCUuUfzOEDCItkhNySflwvjSA3bgJkjIKba54gOP
Hlb//XhyfGLEN3l6DAWN6Fu1yAW5fSE3CfF8QZ0ABRG0EmVkdW5hdmFycm9AdXNh
Lm5ldIkBFQMFEDXm1P59ITcJ8XxBnQEBcmcIAI+gp/OjJ42lEyz+VAyWuaOXHneJ
kqH11zGwNdHxOWXJtu8bpIzbh6+M6i0aXZVFWOOdPQydNAYQ1OiMy8vbPSguw7F7
g7HRML3CkHsMInvVJcjsviA33YbGY3tIsRW+cwK0ME35xJC/jI1gfpj4r6Um6isO
4iOCTKme+/Jrjeb7TY0DbmwvPjRHdTTKe6RUupMayaR9qPjU9/sE4emyO9GNoYW9
0dZureHzwxxmyZKA8dWlKBTBqHU60STFjrAKEfwW3A/Y0uU9zAUFWHiJanMEKz+J
8o+VmqpPk9jU2RAdLHP5FesVQ3z/CnlrCBl8Xx02AfuFqVxAmoNvQfG+dRU=
=uA/A
-----END PGP PUBLIC KEY BLOCK-----

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:03 PDT