i obtained the mingetty source for mingetty, version 0.9.4, from the debian site: http://packages.debian.org/stable/admin/mingetty.html i did not apply any patches. i had a quick look at the code, gdb output and strace output. i think i have isolated the problem, using a static analysis tool i am developing, coupled to common sense and various applications of vi. <smirk> note that both rats and flawfinder go wild on this code. pretty impressive its gone 5 years since an even modest audit by some ... looks like debian did something with the patch they have right there ... anyhow, here's the deal with the code: main() reads the argument, typically a device name: 65 /* on which tty line are we sitting? (e.g. tty1) */ 66 static char *tty; [ snip ] 419 tty = argv[optind]; 420 if (! tty) 421 usage (); it then calls open_tty(): 168 /* open_tty - set up tty as standard { input, output, error } */ 169 static void open_tty (void) 170 { 171 struct sigaction sa; 172 char buf[20]; 173 int fd; 174 175 /* Set up new standard input. */ 176 strcpy (buf, "/dev/"); 177 strcat (buf, tty); 178 if (chown (buf, 0, 0) || chmod (buf, 0600)) 179 error ("%s: %s", buf, sys_errlist[errno]); right there is the problem, in like 177. strcat .. good old strcat(). how i love thee. you overflow buf (only 20 is allocated in line 172). you die in sys_errlist: #0 0x4005e537 in _sys_errlist () #1 0xbffffb24 in _sys_errlist () #2 0x6f4d6e75 in _sys_errlist () however, while this is a quality control issue, is this really a security issue? is mingetty ever suid anything? i only see it non-suid on the systems i have checked, and the makefile included in the dist doesn't install it suid ... its installed in inittab tied to specific terminals, as best i can tell ... so .. is this really an issue? patch it and move on ... and while your at it audit some damn code! ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 14:09:14 PST