analysis of mingetty error (version 0.9.4)

From: Jose Nazario (joseat_private)
Date: Mon Dec 03 2001 - 12:25:10 PST

Next message: Bill Weiss: "Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core"

Previous message: Peter Mueller: "RE: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i obtained the mingetty source for mingetty, version 0.9.4, from the
debian site:

	http://packages.debian.org/stable/admin/mingetty.html

i did not apply any patches. i had a quick look at the code, gdb output
and strace output. i think i have isolated the problem, using a static
analysis tool i am developing, coupled to common sense and various
applications of vi. <smirk> note that both rats and flawfinder go wild on
this code. pretty impressive its gone 5 years since an even modest audit
by some ... looks like debian did something with the patch they have right
there ...

anyhow, here's the deal with the code:

main() reads the argument, typically a device name:

     65 /* on which tty line are we sitting? (e.g. tty1) */
     66 static char *tty;
		[ snip ]
    419         tty = argv[optind];
    420         if (! tty)
    421                 usage ();


it then calls open_tty():

    168 /* open_tty - set up tty as standard { input, output, error } */
    169 static void open_tty (void)
    170 {
    171         struct sigaction sa;
    172         char buf[20];
    173         int fd;
    174
    175         /* Set up new standard input. */
    176         strcpy (buf, "/dev/");
    177         strcat (buf, tty);
    178         if (chown (buf, 0, 0) || chmod (buf, 0600))
    179                 error ("%s: %s", buf, sys_errlist[errno]);


right there is the problem, in like 177. strcat .. good old strcat(). how
i love thee. you overflow buf (only 20 is allocated in line 172). you die
in sys_errlist:

#0  0x4005e537 in _sys_errlist ()
#1  0xbffffb24 in _sys_errlist ()
#2  0x6f4d6e75 in _sys_errlist ()

however, while this is a quality control issue, is this really a security
issue? is mingetty ever suid anything? i only see it non-suid on the
systems i have checked, and the makefile included in the dist doesn't
install it suid ... its installed in inittab tied to specific terminals,
as best i can tell ...

so .. is this really an issue? patch it and move on ... and while your at
it audit some damn code!

____________________________
jose nazario						     joseat_private
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Next message: Bill Weiss: "Re: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core"
Previous message: Peter Mueller: "RE: Can anyone verify a core dump on /sbin/mingetty - FOLLOW UP - Getty also dumping core"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 14:09:14 PST