Bugtraq mailing list archives
vixie cron possible local root compromise
From: Flatline <achter05 () IE HVA NL>
Date: Sun, 11 Feb 2001 00:38:02 +0100
- Introduction: Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow vulnerability. I'm not sure whether it's exploitable or not, it needs to be fixed however. - Platforms: I've only tested it under Red Hat linux 7.0 which uses version 3.0.1-56, although this condition almost certainly affects all systems running this crontab. - Description: When crontab has determined the name of the user calling crontab (using getpwuid()), the login name is stored in a 20 byte buffer using the strcpy() function (which does no bounds checking). 'useradd' (the utility used to add users to the system) however allows usernames of over 20 characters (32 at most on my distribution). Therefore, running crontab as a user whose login name exceeds 20 characters crashes it. Example: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ crontab Segmentation fault [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ Where 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' is a valid user. - Problematic code: in crontab.c, function 'parse_args': <snip> if (!(pw = getpwuid(getuid()))) { fprintf(stderr, "%s: your UID isn't in the passwd file.\n", ProgramName); fprintf(stderr, "bailing out.\n"); exit(ERROR_EXIT); } >> strcpy(User, pw->pw_name); <snip> - Quick fix (diff output for crontab.c): 146c146 < strcpy(User, pw->pw_name); --- > strncpy(User, pw->pw_name, MAX_UNAME - 1); Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch has been released, just to be on the safe side. - Vendor status: Has been notified, awaiting patch. - Found by: flatline (achter05 () ie hva nl). Shouts go out to xperience, 84/tcp and #darknet.
Current thread:
- vixie cron possible local root compromise Flatline (Feb 12)
- Re: vixie cron possible local root compromise Blake R. Swopes (Feb 12)
- Re: vixie cron possible local root compromise Robert Varga (Feb 14)
- Re: vixie cron possible local root compromise Arthur Clune (Feb 15)
- Re: vixie cron possible local root compromise Peter W (Feb 15)
- Re: vixie cron possible local root compromise Flavio Veloso (Feb 16)
- Re: vixie cron possible local root compromise Robert Varga (Feb 14)
- Re: vixie cron possible local root compromise Mate Wierdl (Feb 15)
- Re: vixie cron possible local root compromise Blake R. Swopes (Feb 12)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)