Date: Sun, 11 Feb 2001 00:38:02 +0100 From: Flatline <achter05@IE.HVA.NL> Subject: vixie cron possible local root compromise To: BUGTRAQ@SECURITYFOCUS.COM - Introduction: Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow vulnerability. I'm not sure whether it's exploitable or not, it needs to be fixed however. - Platforms: I've only tested it under Red Hat linux 7.0 which uses version 3.0.1-56, although this condition almost certainly affects all systems running this crontab. - Description: When crontab has determined the name of the user calling crontab (using getpwuid()), the login name is stored in a 20 byte buffer using the strcpy() function (which does no bounds checking). 'useradd' (the utility used to add users to the system) however allows usernames of over 20 characters (32 at most on my distribution). Therefore, running crontab as a user whose login name exceeds 20 characters crashes it. Example: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ crontab Segmentation fault [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ Where 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' is a valid user. - Problematic code: in crontab.c, function 'parse_args': <snip> if (!(pw = getpwuid(getuid()))) { fprintf(stderr, "%s: your UID isn't in the passwd file.\n", ProgramName); fprintf(stderr, "bailing out.\n"); exit(ERROR_EXIT); } >> strcpy(User, pw->pw_name); <snip> - Quick fix (diff output for crontab.c): 146c146 < strcpy(User, pw->pw_name); --- > strncpy(User, pw->pw_name, MAX_UNAME - 1); Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch has been released, just to be on the safe side. - Vendor status: Has been notified, awaiting patch. - Found by: flatline (achter05@ie.hva.nl). Shouts go out to xperience, 84/tcp and #darknet.