Re: vixie cron possible local root compromise
Sun, Feb 11, 2001 at 00:38:02, achter05 (Flatline) wrote about "vixie cron possible local root compromise": 146c146 strcpy(User, pw-pw_name); --- strncpy(User, pw-pw_name, MAX_UNAME - 1); Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch has been released, just to be on the safe side. I think your fix is too dirty because it can lead crontab to ruin data of another user which name is shortened name of caller. It is better for tool to segfault instead of using incorrectly shortened name. Best with fixed buffer is to test username size before copying: if( strlen(pw-pw_name) = sizeof User ) { fprintf( stderr, "crontab: fatal: username too long\n" ); exit( 1 ); } But, in FreeBSD (I use 5.0-CURRENT) this code already contains strncpy similar to your: === cut src/usr.sbin/cron/crontab/crontab.c === if (!(pw = getpwuid(getuid( errx(ERROR_EXIT, "your UID isn't in the passwd file, bailing out"); (void) strncpy(User, pw-pw_name, (sizeof User)-1); User[(sizeof User)-1] = '\0'; strcpy(RealUser, User); === end cut === and I think it should be also corrected to reject too long usernames. /netch
Re: m4 format string vulnerability
confirmed for red hat linux 7.0: [kerouac:mg:~]m4 -G %x All folks tests it with -G, but it is not really needed. FreeBSD ports: netch@iv:~gm4 -G %x gm4: bfbffb8c: No such file or directory netch@iv:~gm4 %x gm4: bfbffb8c: No such file or directory netch@iv:~gm4 %d gm4: -1077937268: No such file or directory netch@iv:~gm4 %s gm4: oü¿¿ü¿¿ü¿¿³ü¿¿Êü¿¿åü¿¿ñü¿¿úü¿¿ý¿¿ý¿¿6ý¿¿Ký¿¿eý¿¿sý¿¿{ý¿¿ý¿¿«ý¿¿¹ý¿¿Ëý¿ ¿Øý¿¿îý¿¿eþ¿¿xþ¿¿þ¿¿: No such file or directory (port is m4-1.4) RH 7.0: netch@yacc:~m4 %x m4: 80499d9: No such file or directory netch@yacc:~m4 %d m4: 134519257: No such file or directory RH 6.2: netch@sleipnir:~m4 %x m4: 401081cc: No such file or directory netch@sleipnir:~rpm -q m4 m4-1.4-12 and so on. Possibly all GNU versions are vulnerable. Patch against this (tabs are broken by cut-and-paste): --- src/m4.c.orig Wed Nov 2 05:14:28 1994 +++ src/m4.cMon Feb 5 10:36:17 2001 @@ -466,7 +466,7 @@ fp = path_search (argv[optind]); if (fp == NULL) { - error (0, errno, argv[optind]); + error (0, errno, "%s", argv[optind]); continue; } else Another the only bad usage of error(): m4.c:372: error (0, errno, optarg); part of code: ==={{{ case 'o': if (!debug_set_output (optarg)) error (0, errno, optarg); break; ===}}} patch is of the same idea. m4: 80499d9: Datei oder Verzeichnis nicht gefunden [kerouac:mg:~]cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) [kerouac:mg:~]rpm -q m4 m4-1.4.1-3 /netch
Re: Vixie Cron version 3.0pl1 vulnerable to root exploit
Martin Schulze [EMAIL PROTECTED] wrote: Red Hat has recently released a Security Advisory (RHSA-1999:030-01) covering a reverse denial of service bug in the vixie cron package. As user you could restart sendmail even if the host should not receive mail through the SMTP port. Further investigation discovered that it was even worse. Vixie cron runs as root at the time sending acknowledge mail to a user. Passing arbitrary parameters to sendmail at this time leads into a possible root exploit (like -C/tmp/myexploitsendmail.cf). Olaf Kirch has developed the following patch that will send the mail as user instead of root and removes the possibility to pass arguments to the installed MTA. [skip] -#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s"/*-*/ +#define MAILARGS "%s -FCronDaemon -odi -oem %s" /*-*/ [skip] + /* Check for arguments */ + if (mailto) { + const char *end; + + /* These chars have to match those cron_popen() + * uses to split the command string */ + mailto += strspn(mailto, " \t\n"); + end = mailto + strcspn(mailto, " \t\n"); + if (*mailto == '-' || *end != '\0') { + printf("Bad Mailto karma.\n"); + log_it("CRON",getpid(),"error","bad mailto"); Quite more simple and correct variant is to append "--" to mailargs: -#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s"/*-*/ +#define MAILARGS "%s -FCronDaemon -odi -oem -- %s" /*-*/ After it, it's possible to use real local parts starting with '-'. ;) getopt() stops parsing after "--", and arguments after it will be parsed as positional, not as flags. PS. Also, it is useful to audit any program invocation using another program with command line instead of argument array.