Re: Vixie Cron version 3.0pl1 vulnerable to root exploit

[netch () LUCKY NET (Valentin Nechayev)]

Martin Schulze <joey () FINLANDIA INFODROM NORTH DE> wrote:

> Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
> covering a reverse denial of service bug in the vixie cron package.
> As user you could restart sendmail even if the host should not receive
> mail through the SMTP port.
>
> Further investigation discovered that it was even worse.  Vixie cron
> runs as root at the time sending acknowledge mail to a user.  Passing
> arbitrary parameters to sendmail at this time leads into a possible
> root exploit (like -C/tmp/myexploitsendmail.cf).
>
> Olaf Kirch has developed the following patch that will send the mail
> as user instead of root and removes the possibility to pass arguments
> to the installed MTA.

[skip]

> -#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s"                /*-*/
> +#define MAILARGS "%s -FCronDaemon -odi -oem %s"                      /*-*/

[skip]

> +     /* Check for arguments */
> +     if (mailto) {
> +             const char      *end;
> +
> +             /* These chars have to match those cron_popen()
> +              * uses to split the command string */
> +             mailto += strspn(mailto, " \t\n");
> +             end = mailto + strcspn(mailto, " \t\n");
> +             if (*mailto == '-' || *end != '\0') {
> +                     printf("Bad Mailto karma.\n");
> +                     log_it("CRON",getpid(),"error","bad mailto");

Quite more simple and correct variant is to append "--" to mailargs:

> -#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s"                /*-*/
> +#define MAILARGS "%s -FCronDaemon -odi -oem -- %s"                   /*-*/

After it, it's possible to use real local parts starting with '-'. ;)
getopt() stops parsing after "--", and arguments after it will be parsed as
positional, not as flags.

PS. Also, it is useful to audit any program invocation using another
program with command line instead of argument array.