Date: Wed, 23 Aug 2000 18:23:18 -0400
From: Dpk <dpk@EGR.MSU.EDU>
Subject: Re: RH 6.1 / 6.2 minicom vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM
On Sat, Aug 19, 2000 at 11:43:59AM +0200, Michal Zalewski wrote:
On RedHat 6.1 and RedHat 6.2 boxes (I haven't found other
distributions vulnerable):
@(#)Minicom V1.83.0 (compiled Mar 7 2000)(c) Miquel van Smoorenburg
[lcamtuf@nimue lcamtuf]$ minicom -C foo
minicom: there is no global configuration file /etc/minirc.dfl
Ask your sysadm to create one (with minicom -s).
[lcamtuf@nimue lcamtuf]$ ls -l foo
-rw-rw-r-- 1 lcamtuf uucp 0 Aug 18 12:21 foo
^^ ^^^^
Any file can be created anywhere with uucp privledges - it will
follow symlinks. Not nice on systems running uucp services.
[snip]
To round out the distribution status...
Debian/GNU Linux does not install minicom set[ug]id, and is not
vulnerable... verified on 2.1 (slink), 2.2 (potato), and "woody".
Dpk
![[LWN Logo]](/images/lcorner.png)
![[Timeline]](/images/Included.png)