Bugtraq mailing list archives
Re: Vixie Cron version 3.0pl1 vulnerable to root exploit
From: netch () LUCKY NET (Valentin Nechayev)
Date: Wed, 1 Sep 1999 17:41:14 +0300
Martin Schulze <joey () FINLANDIA INFODROM NORTH DE> wrote:
Red Hat has recently released a Security Advisory (RHSA-1999:030-01) covering a reverse denial of service bug in the vixie cron package. As user you could restart sendmail even if the host should not receive mail through the SMTP port. Further investigation discovered that it was even worse. Vixie cron runs as root at the time sending acknowledge mail to a user. Passing arbitrary parameters to sendmail at this time leads into a possible root exploit (like -C/tmp/myexploitsendmail.cf). Olaf Kirch has developed the following patch that will send the mail as user instead of root and removes the possibility to pass arguments to the installed MTA.
[skip]
-#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s" /*-*/ +#define MAILARGS "%s -FCronDaemon -odi -oem %s" /*-*/
[skip]
+ /* Check for arguments */ + if (mailto) { + const char *end; + + /* These chars have to match those cron_popen() + * uses to split the command string */ + mailto += strspn(mailto, " \t\n"); + end = mailto + strcspn(mailto, " \t\n"); + if (*mailto == '-' || *end != '\0') { + printf("Bad Mailto karma.\n"); + log_it("CRON",getpid(),"error","bad mailto");
Quite more simple and correct variant is to append "--" to mailargs:
-#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s" /*-*/ +#define MAILARGS "%s -FCronDaemon -odi -oem -- %s" /*-*/
After it, it's possible to use real local parts starting with '-'. ;) getopt() stops parsing after "--", and arguments after it will be parsed as positional, not as flags. PS. Also, it is useful to audit any program invocation using another program with command line instead of argument array.
Current thread:
- Re: Vixie Cron version 3.0pl1 vulnerable to root exploit Valentin Nechayev (Sep 01)
- Microsoft Security Bulletin (MS99-034) Aleph One (Sep 03)
- Re: Vixie Cron version 3.0pl1 vulnerable to root exploit Martin Schulze (Sep 04)