Re: vixie cron possible local root compromise
Sun, Feb 11, 2001 at 00:38:02, achter05 (Flatline) wrote about "vixie cron possible
local root compromise":
146c146
strcpy(User, pw-pw_name);
---
strncpy(User, pw-pw_name, MAX_UNAME - 1);
Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch
has been released,
just to be on the safe side.
I think your fix is too dirty because it can lead crontab to ruin data of
another user which name is shortened name of caller. It is better for tool to
segfault instead of using incorrectly shortened name. Best with fixed buffer is
to test username size before copying:
if( strlen(pw-pw_name) = sizeof User ) {
fprintf( stderr, "crontab: fatal: username too long\n" );
exit( 1 );
}
But, in FreeBSD (I use 5.0-CURRENT) this code already contains strncpy
similar to your:
=== cut src/usr.sbin/cron/crontab/crontab.c ===
if (!(pw = getpwuid(getuid(
errx(ERROR_EXIT, "your UID isn't in the passwd file, bailing out");
(void) strncpy(User, pw-pw_name, (sizeof User)-1);
User[(sizeof User)-1] = '\0';
strcpy(RealUser, User);
=== end cut ===
and I think it should be also corrected to reject too long usernames.
/netch
Re: m4 format string vulnerability
confirmed for red hat linux 7.0:
[kerouac:mg:~]m4 -G %x
All folks tests it with -G, but it is not really needed.
FreeBSD ports:
netch@iv:~gm4 -G %x
gm4: bfbffb8c: No such file or directory
netch@iv:~gm4 %x
gm4: bfbffb8c: No such file or directory
netch@iv:~gm4 %d
gm4: -1077937268: No such file or directory
netch@iv:~gm4 %s
gm4: oü¿¿ü¿¿ü¿¿³ü¿¿Êü¿¿åü¿¿ñü¿¿úü¿¿ý¿¿
ý¿¿6ý¿¿Ký¿¿eý¿¿sý¿¿{ý¿¿ý¿¿«ý¿¿¹ý¿¿Ëý¿
¿Øý¿¿îý¿¿eþ¿¿xþ¿¿þ¿¿: No such file or directory
(port is m4-1.4)
RH 7.0:
netch@yacc:~m4 %x
m4: 80499d9: No such file or directory
netch@yacc:~m4 %d
m4: 134519257: No such file or directory
RH 6.2:
netch@sleipnir:~m4 %x
m4: 401081cc: No such file or directory
netch@sleipnir:~rpm -q m4
m4-1.4-12
and so on. Possibly all GNU versions are vulnerable.
Patch against this (tabs are broken by cut-and-paste):
--- src/m4.c.orig Wed Nov 2 05:14:28 1994
+++ src/m4.cMon Feb 5 10:36:17 2001
@@ -466,7 +466,7 @@
fp = path_search (argv[optind]);
if (fp == NULL)
{
- error (0, errno, argv[optind]);
+ error (0, errno, "%s", argv[optind]);
continue;
}
else
Another the only bad usage of error():
m4.c:372: error (0, errno, optarg);
part of code:
==={{{
case 'o':
if (!debug_set_output (optarg))
error (0, errno, optarg);
break;
===}}}
patch is of the same idea.
m4: 80499d9: Datei oder Verzeichnis nicht gefunden
[kerouac:mg:~]cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
[kerouac:mg:~]rpm -q m4
m4-1.4.1-3
/netch
Re: Vixie Cron version 3.0pl1 vulnerable to root exploit
Martin Schulze [EMAIL PROTECTED] wrote:
Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
covering a reverse denial of service bug in the vixie cron package.
As user you could restart sendmail even if the host should not receive
mail through the SMTP port.
Further investigation discovered that it was even worse. Vixie cron
runs as root at the time sending acknowledge mail to a user. Passing
arbitrary parameters to sendmail at this time leads into a possible
root exploit (like -C/tmp/myexploitsendmail.cf).
Olaf Kirch has developed the following patch that will send the mail
as user instead of root and removes the possibility to pass arguments
to the installed MTA.
[skip]
-#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s"/*-*/
+#define MAILARGS "%s -FCronDaemon -odi -oem %s" /*-*/
[skip]
+ /* Check for arguments */
+ if (mailto) {
+ const char *end;
+
+ /* These chars have to match those cron_popen()
+ * uses to split the command string */
+ mailto += strspn(mailto, " \t\n");
+ end = mailto + strcspn(mailto, " \t\n");
+ if (*mailto == '-' || *end != '\0') {
+ printf("Bad Mailto karma.\n");
+ log_it("CRON",getpid(),"error","bad mailto");
Quite more simple and correct variant is to append "--" to mailargs:
-#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s"/*-*/
+#define MAILARGS "%s -FCronDaemon -odi -oem -- %s" /*-*/
After it, it's possible to use real local parts starting with '-'. ;)
getopt() stops parsing after "--", and arguments after it will be parsed as
positional, not as flags.
PS. Also, it is useful to audit any program invocation using another
program with command line instead of argument array.
