Bugtraq mailing list archives

Re: vixie-crontab for redhat linux

From: ewt () redhat com (Erik Troan)
Date: Mon, 16 Dec 1996 10:44:01 -0500


On Sun, 15 Dec 1996, Dave G. wrote:

/* vixie crontab buffer overflow for RedHat Linux
 *
 * I dont think too many people know that redhat uses vixie crontab.
 * I didn't find this, just exploited it.
 *
 *
 * Dave G.
 * <daveg () escape com>
 * http://www.escape.com/~daveg
 *
 *
 */


Here's a quick fix that lets crontab segv instead of buffer overflowing ;-)
I think I got all of the sprintf and strcpy buffer overflows. There are still
some attacks based on overruns on data read from /etc/passwd but those would
be difficult to exploit at best.

Comments?

Erik

--- vixie-cron-3.0.1/crontab.c.ewt      Mon Dec 16 10:35:09 1996
+++ vixie-cron-3.0.1/crontab.c  Mon Dec 16 10:42:21 1996
@@ -197,7 +197,9 @@
        } else {
                if (argv[optind] != NULL) {
                        Option = opt_replace;
-                       (void) strcpy (Filename, argv[optind]);
+                       (void) strncpy (Filename, argv[optind],
+                                       sizeof(Filename - 1));
+                       Filename[sizeof(Filename) - 1] = '\0';
                } else {
                        usage("file name must be specified for replace");
                }
@@ -246,7 +248,7 @@
        int     ch;

        log_it(RealUser, Pid, "LIST", User);
-       (void) sprintf(n, CRON_TAB(User));
+       (void) snprintf(n, sizeof(n), CRON_TAB(User));
        if (!(f = fopen(n, "r"))) {
                if (errno == ENOENT)
                        fprintf(stderr, "no crontab for %s\n", User);
@@ -269,7 +271,7 @@
        char    n[MAX_FNAME];

        log_it(RealUser, Pid, "DELETE", User);
-       (void) sprintf(n, CRON_TAB(User));
+       (void) snprintf(n, sizeof(n), CRON_TAB(User));
        if (unlink(n)) {
                if (errno == ENOENT)
                        fprintf(stderr, "no crontab for %s\n", User);
@@ -301,7 +303,7 @@
        PID_T           pid, xpid;

        log_it(RealUser, Pid, "BEGIN EDIT", User);
-       (void) sprintf(n, CRON_TAB(User));
+       (void) snprintf(n, sizeof(n), CRON_TAB(User));
        if (!(f = fopen(n, "r"))) {
                if (errno != ENOENT) {
                        perror(n);
@@ -497,7 +499,7 @@
        char    **envp = env_init();

        (void) sprintf(n, "tmp.%d", Pid);
-       (void) sprintf(tn, CRON_TAB(n));
+       (void) snprintf(tn, sizeof(tn), CRON_TAB(n));
        if (!(tmp = fopen(tn, "w+"))) {
                perror(tn);
                return (-2);
@@ -585,7 +587,7 @@
                return (-2);
        }

-       (void) sprintf(n, CRON_TAB(User));
+       (void) snprintf(n, sizeof(n), CRON_TAB(User));
        if (rename(tn, n)) {
                fprintf(stderr, "%s: error renaming %s to %s\n",
                        ProgramName, tn, n);

Current thread:

Linux: exploit for killmouse. Bo (Dec 14)
- Re: Linux: exploit for killmouse. Joe Zbiciak (Dec 14)
- vixie-crontab for redhat linux Dave G. (Dec 15)
  - Re: vixie-crontab for redhat linux Erik Troan (Dec 16)