I have found some buffer overflows in Minicom 1.80.1 which comes setuid root with Slackware 3.5. I known that were discussed some overflows in other versions of minicom ( no setuid root) but i think it's "new" and more dangerous. At least, you can overflow the stack using $HOME and $TERM and using large strings with one of the following flags: -o, -m, -l, -z and -t because there are many strcpy and sprintf: ~/minicom/minicom-1.80/src$ grep strcpy * | wc -l 67 ~/minicom/minicom-1.80/src$ grep sprintf * | wc -l 40 If you look at sources, you can see: strcpy(termtype, getenv("TERM") ? getenv("TERM") : "dumb"); or case 't': /* Terminal type */ strcpy(termtype, optarg); or sprintf(pseudo, "/dev/%s", optarg); or sprintf(parfile, "%s/minirc.%s", LIBDIR, use_port); or /* Remember home directory and username. */ if ((s = getenv("HOME")) == CNULL) strcpy(homedir, pwd->pw_dir); else strcpy(homedir, s); strcpy(username, pwd->pw_name); /* Get personal parameter file */ sprintf(pparfile, "%s/.minirc.%s", homedir, use_port); ............................ and many more. EXPLOIT: Sorry, but I can't waste time writing the exploit because I have to study for my exams at university :(((((( IMPACT: root (local) PATCH: Update to version 1.81.1 or 1.82.beta* Greetings from Spain Edunavarroat_private Type Bits/KeyID Date User ID pub 2048/F17C419D 1998/08/28 edunavarroat_private -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzXm1P4AAAEIAL3Dsr90YStDc+N/meNC3HDnBRVgikDeuogb8Jb/SwYngMPU nRdj7jLP80vwYyMPnUo326XLyh+UFxskGevUfnncOCSTtE48UxeyI/aeefhAEN9D Qgiv9DYCU4EDTR8SrqpAO0tNBr/C9i9jCPtKhHs55dt+lsd23G5MZJrWf/yi2edl HZnQ+LVE/rGO87O0LscqrAyRBYX/cf8P/n5hiINIX6jHSbpAfvlyu2P/viX/cTGk yuizaLHhNMYHzBphMgKuHY+1pCUuUfzOEDCItkhNySflwvjSA3bgJkjIKba54gOP Hlb//XhyfGLEN3l6DAWN6Fu1yAW5fSE3CfF8QZ0ABRG0EmVkdW5hdmFycm9AdXNh Lm5ldIkBFQMFEDXm1P59ITcJ8XxBnQEBcmcIAI+gp/OjJ42lEyz+VAyWuaOXHneJ kqH11zGwNdHxOWXJtu8bpIzbh6+M6i0aXZVFWOOdPQydNAYQ1OiMy8vbPSguw7F7 g7HRML3CkHsMInvVJcjsviA33YbGY3tIsRW+cwK0ME35xJC/jI1gfpj4r6Um6isO 4iOCTKme+/Jrjeb7TY0DbmwvPjRHdTTKe6RUupMayaR9qPjU9/sE4emyO9GNoYW9 0dZureHzwxxmyZKA8dWlKBTBqHU60STFjrAKEfwW3A/Y0uU9zAUFWHiJanMEKz+J 8o+VmqpPk9jU2RAdLHP5FesVQ3z/CnlrCBl8Xx02AfuFqVxAmoNvQfG+dRU= =uA/A -----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:03 PDT