Date:         Sun, 11 Feb 2001 00:38:02 +0100
From: Flatline <achter05@IE.HVA.NL>
Subject:      vixie cron possible local root compromise
To: BUGTRAQ@SECURITYFOCUS.COM

- Introduction:

Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow
vulnerability.
I'm not sure whether it's exploitable or not, it needs to be fixed however.


- Platforms:

I've only tested it under Red Hat linux 7.0 which uses version 3.0.1-56,
although this condition almost certainly affects all systems running this
crontab.


- Description:

When crontab has determined the name of the user calling crontab (using
getpwuid()),
the login name is stored in a 20 byte buffer using the strcpy() function
(which does no bounds checking). 'useradd' (the utility used to add users
to the system)
however allows usernames of over 20 characters (32 at most on my distribution).

Therefore, running crontab as a user whose login name exceeds 20 characters
crashes it.

Example:

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ crontab
Segmentation fault
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$

Where 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' is a valid user.


- Problematic code:

in crontab.c, function 'parse_args':

<snip>
         if (!(pw = getpwuid(getuid()))) {
                 fprintf(stderr, "%s: your UID isn't in the passwd file.\n",
                         ProgramName);
                 fprintf(stderr, "bailing out.\n");
                 exit(ERROR_EXIT);
         }
 >>      strcpy(User, pw->pw_name);
<snip>


- Quick fix (diff output for crontab.c):

146c146
<       strcpy(User, pw->pw_name);
---
 >       strncpy(User, pw->pw_name, MAX_UNAME - 1);

Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch
has been released,
just to be on the safe side.


- Vendor status:

Has been notified, awaiting patch.


- Found by:

flatline (achter05@ie.hva.nl). Shouts go out to xperience, 84/tcp and #darknet.