Debian Security Advisory
minicom -- standard buffer overrun(s) in minicom
- Date Reported:
- 10 Feb 1997
- Affected Packages:
- Security database references:
- No other external database security references currently available.
- More information:
Original submitter of the report: Dmitry E. Kim <email@example.com>.
Vulnerability in minicom allows (certain) local users to obtain group "uucp" privileges and, in certain cases, root privileges.
Minicom binary is usually owned by user "root" and group "uucp", and it is "-rwxr-sr-x" or, in some old distributions, "-rwsr-sr-x". Actually, minicom has a lot of arbitrary size buffers and it is really easy to overrun some of them. At least one of these overrunable buffers is automatic — an argument to "-d" option of minicom is copied into 128 bytes long automatic array. Thus, it is possible to overwrite the function return address and to execute arbitrary code (as usual).
If minicom is installed setuid root, any user which is permitted to use minicom can obtain root shell. If minicom is installed setgid uucp, any minicom user can obtain uucp group privileges (please don't think it's nothing — at least on Slackware machines /usr/lib/uucp is group-writable. This means you can easily substitute uucico/uuxqt/etc with your scripts).