Date: Wed, 23 Aug 2000 18:23:18 -0400 From: Dpk <dpk@EGR.MSU.EDU> Subject: Re: RH 6.1 / 6.2 minicom vulnerability To: BUGTRAQ@SECURITYFOCUS.COM On Sat, Aug 19, 2000 at 11:43:59AM +0200, Michal Zalewski wrote: On RedHat 6.1 and RedHat 6.2 boxes (I haven't found other distributions vulnerable): @(#)Minicom V1.83.0 (compiled Mar 7 2000)(c) Miquel van Smoorenburg [lcamtuf@nimue lcamtuf]$ minicom -C foo minicom: there is no global configuration file /etc/minirc.dfl Ask your sysadm to create one (with minicom -s). [lcamtuf@nimue lcamtuf]$ ls -l foo -rw-rw-r-- 1 lcamtuf uucp 0 Aug 18 12:21 foo ^^ ^^^^ Any file can be created anywhere with uucp privledges - it will follow symlinks. Not nice on systems running uucp services. [snip] To round out the distribution status... Debian/GNU Linux does not install minicom set[ug]id, and is not vulnerable... verified on 2.1 (slink), 2.2 (potato), and "woody". Dpk