On Wed, 5 Jul 1995, Larry Kruper wrote: > Date: Wed, 5 Jul 1995 19:40:51 -0700 > From: Larry Kruper <lak@home.crimelab.com> > To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM> > Subject: Re: Exploit for Linux wu.ftpd hole > > > On Wed, 5 Jul 1995, Henri Karrenbeld wrote: > > > > > Date: Wed, 5 Jul 1995 18:44:17 +0100 > > > From: Henri Karrenbeld <H.Karrenbeld@ct.utwente.nl> > > > To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM> > > > Subject: Exploit for Linux wu.ftpd hole > > > > > minicom has a known, but not very well-known hole in it that is nearly > > identical to the wu-ftp hole. If you are a legitimate user of a pre 1.71 > > version of minicom, you can get root, its the same sort of thing, > > seteuid(0), and then make a suid root shell somewhere - you do it by > > changing the name of 'runscript' to your shell... > > > > It wouldnt really be much of a problem, except that linux to this day (i > > believe) continues to have the users gonzo, satan, and snake in > > minicom.users (or the slackware release does, at the very least). > > --- > > So, how is this bug exploited if gonzo, satan or snake are not in /etc/passwd ? > With the minicom F - username (i.e. satan) I do not get an error for not > being in the minicom.users file, but J does not jump to a shell. How is this > done ? > > I am doing this on my own system, not someone elses. > Indeed, this offers some protection - it's nonetheless a serious bug. Anyone who has, or can get access to minicom via minicom.users can get root. Also, under the default config on 1.70, {metakey}J doesnt jump to a shell, it suspends the program. Thats why the intruder must edit the apth to runscript instead (runscript is the script interpreter, and its path can be edited in the configuration area).