OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Flatline (achter05IE.HVA.NL)
Date: Sat Feb 10 2001 - 17:38:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    - Introduction:

    Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow
    vulnerability.
    I'm not sure whether it's exploitable or not, it needs to be fixed however.

    - Platforms:

    I've only tested it under Red Hat linux 7.0 which uses version 3.0.1-56,
    although this condition almost certainly affects all systems running this
    crontab.

    - Description:

    When crontab has determined the name of the user calling crontab (using
    getpwuid()),
    the login name is stored in a 20 byte buffer using the strcpy() function
    (which does no bounds checking). 'useradd' (the utility used to add users
    to the system)
    however allows usernames of over 20 characters (32 at most on my distribution).

    Therefore, running crontab as a user whose login name exceeds 20 characters
    crashes it.

    Example:

    [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtestgrounds
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ crontab
    Segmentation fault
    [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtestgrounds
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$

    Where 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' is a valid user.

    - Problematic code:

    in crontab.c, function 'parse_args':

    <snip>
             if (!(pw = getpwuid(getuid()))) {
                     fprintf(stderr, "%s: your UID isn't in the passwd file.\n",
                             ProgramName);
                     fprintf(stderr, "bailing out.\n");
                     exit(ERROR_EXIT);
             }
    >> strcpy(User, pw->pw_name);
    <snip>

    - Quick fix (diff output for crontab.c):

    146c146
    < strcpy(User, pw->pw_name);

    ---
     >       strncpy(User, pw->pw_name, MAX_UNAME - 1);
    

    Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch has been released, just to be on the safe side.

    - Vendor status:

    Has been notified, awaiting patch.

    - Found by:

    flatline (achter05ie.hva.nl). Shouts go out to xperience, 84/tcp and #darknet.