Bugtraq mailing list archives
Re: vixie-crontab for redhat linux
From: ewt () redhat com (Erik Troan)
Date: Mon, 16 Dec 1996 10:44:01 -0500
On Sun, 15 Dec 1996, Dave G. wrote:
/* vixie crontab buffer overflow for RedHat Linux * * I dont think too many people know that redhat uses vixie crontab. * I didn't find this, just exploited it. * * * Dave G. * <daveg () escape com> * http://www.escape.com/~daveg * * */
Here's a quick fix that lets crontab segv instead of buffer overflowing ;-) I think I got all of the sprintf and strcpy buffer overflows. There are still some attacks based on overruns on data read from /etc/passwd but those would be difficult to exploit at best. Comments? Erik --- vixie-cron-3.0.1/crontab.c.ewt Mon Dec 16 10:35:09 1996 +++ vixie-cron-3.0.1/crontab.c Mon Dec 16 10:42:21 1996 @@ -197,7 +197,9 @@ } else { if (argv[optind] != NULL) { Option = opt_replace; - (void) strcpy (Filename, argv[optind]); + (void) strncpy (Filename, argv[optind], + sizeof(Filename - 1)); + Filename[sizeof(Filename) - 1] = '\0'; } else { usage("file name must be specified for replace"); } @@ -246,7 +248,7 @@ int ch; log_it(RealUser, Pid, "LIST", User); - (void) sprintf(n, CRON_TAB(User)); + (void) snprintf(n, sizeof(n), CRON_TAB(User)); if (!(f = fopen(n, "r"))) { if (errno == ENOENT) fprintf(stderr, "no crontab for %s\n", User); @@ -269,7 +271,7 @@ char n[MAX_FNAME]; log_it(RealUser, Pid, "DELETE", User); - (void) sprintf(n, CRON_TAB(User)); + (void) snprintf(n, sizeof(n), CRON_TAB(User)); if (unlink(n)) { if (errno == ENOENT) fprintf(stderr, "no crontab for %s\n", User); @@ -301,7 +303,7 @@ PID_T pid, xpid; log_it(RealUser, Pid, "BEGIN EDIT", User); - (void) sprintf(n, CRON_TAB(User)); + (void) snprintf(n, sizeof(n), CRON_TAB(User)); if (!(f = fopen(n, "r"))) { if (errno != ENOENT) { perror(n); @@ -497,7 +499,7 @@ char **envp = env_init(); (void) sprintf(n, "tmp.%d", Pid); - (void) sprintf(tn, CRON_TAB(n)); + (void) snprintf(tn, sizeof(tn), CRON_TAB(n)); if (!(tmp = fopen(tn, "w+"))) { perror(tn); return (-2); @@ -585,7 +587,7 @@ return (-2); } - (void) sprintf(n, CRON_TAB(User)); + (void) snprintf(n, sizeof(n), CRON_TAB(User)); if (rename(tn, n)) { fprintf(stderr, "%s: error renaming %s to %s\n", ProgramName, tn, n);
Current thread:
- Linux: exploit for killmouse. Bo (Dec 14)
- Re: Linux: exploit for killmouse. Joe Zbiciak (Dec 14)
- vixie-crontab for redhat linux Dave G. (Dec 15)
- Re: vixie-crontab for redhat linux Erik Troan (Dec 16)