Security Information / 1997 / Security Information -- minicom

Debian Security Advisory

minicom -- standard buffer overrun(s) in minicom

Date Reported:

10 Feb 1997

Affected Packages:

minicom

Vulnerable:

No

Security database references:

No other external database security references currently available.

More information:

Original submitter of the report: Dmitry E. Kim <jason@redline.ru>.

Vulnerability in minicom allows (certain) local users to obtain group "uucp" privileges and, in certain cases, root privileges.

Minicom binary is usually owned by user "root" and group "uucp", and it is "-rwxr-sr-x" or, in some old distributions, "-rwsr-sr-x". Actually, minicom has a lot of arbitrary size buffers and it is really easy to overrun some of them. At least one of these overrunable buffers is automatic — an argument to "-d" option of minicom is copied into 128 bytes long automatic array. Thus, it is possible to overwrite the function return address and to execute arbitrary code (as usual).

If minicom is installed setuid root, any user which is permitted to use minicom can obtain root shell. If minicom is installed setgid uucp, any minicom user can obtain uucp group privileges (please don't think it's nothing — at least on Slackware machines /usr/lib/uucp is group-writable. This means you can easily substitute uucico/uuxqt/etc with your scripts).