6084459 2001-02-11 00:38 +0100  /78 rader/ Flatline <achter05@IE.HVA.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-12  19:50  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: achter05@IE.HVA.NL
Mottagare: Bugtraq (import) <15358>
Ärende: vixie cron possible local root compromise
------------------------------------------------------------
From: Flatline <achter05@IE.HVA.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <5.0.2.1.2.20010211003607.00a627e8@pop3.lb.hva.nl>

- Introduction:

Paul Vixie's crontab version 3.0.1-56 contains another buffer
overflow vulnerability.  I'm not sure whether it's exploitable or
not, it needs to be fixed however.


- Platforms:

I've only tested it under Red Hat linux 7.0 which uses version
3.0.1-56, although this condition almost certainly affects all
systems running this crontab.


- Description:

When crontab has determined the name of the user calling crontab
(using getpwuid()), the login name is stored in a 20 byte buffer
using the strcpy() function (which does no bounds
checking). 'useradd' (the utility used to add users to the system)
however allows usernames of over 20 characters (32 at most on my
distribution).

Therefore, running crontab as a user whose login name exceeds 20
characters crashes it.

Example:

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ crontab
Segmentation fault
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$

Where 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' is a valid user.


- Problematic code:

in crontab.c, function 'parse_args':

<snip>
         if (!(pw = getpwuid(getuid()))) {
                 fprintf(stderr, "%s: your UID isn't in the passwd file.\n",
                         ProgramName);
                 fprintf(stderr, "bailing out.\n");
                 exit(ERROR_EXIT);
         }
 >>      strcpy(User, pw->pw_name);
<snip>


- Quick fix (diff output for crontab.c):

146c146
<       strcpy(User, pw->pw_name);
---
 >       strncpy(User, pw->pw_name, MAX_UNAME - 1);

Or simply remove the setuid bit on /usr/bin/crontab until a vendor
patch has been released, just to be on the safe side.


- Vendor status:

Has been notified, awaiting patch.


- Found by:

flatline (achter05@ie.hva.nl). Shouts go out to xperience, 84/tcp and
#darknet.
(6084459) --------------------------------(Ombruten)
6086273 2001-02-12 22:14 +0100  /32 rader/ Mark van Reijn <mark@EDUP.TUDELFT.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13  05:39  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mark@EDUP.TUDELFT.NL
Mottagare: Bugtraq (import) <15401>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
From: Mark van Reijn <mark@EDUP.TUDELFT.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <MWMail.qictdfos@host.none>

Hmm, doesn't do anything weird/wrong on my RH6.2 server:

[aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ crontab -e
no crontab for aaaaaaaaaabbbbbbbbbbaaaaaaaaaabbbbbbbbbbaaaaaaaaaab - using an empty one
crontab: installing new crontab
[aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ crontab
crontab: usage error: file name must be specified for replace
usage:  crontab [-u user] file
        crontab [-u user] { -e | -l | -r }
                (default operation is replace, per 1003.2)
        -e      (edit user's crontab)
        -l      (list user's crontab)
        -r      (delete user's crontab)
[aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$

It runs vixie-cron-3.0.1-40...

Mark
--
___________________________

Mark van Reijn
mark@edup.tudelft.nl
___________________________
"Because light travels faster than sound, most people appear to be intelligent,
  until you hear them speak"
(6086273) ------------------------------------------
6086276 2001-02-12 19:47 +0100  /19 rader/ Peter van Dijk <peter@DATALOSS.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13  05:44  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: peter@DATALOSS.NL
Mottagare: Bugtraq (import) <15402>
Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
From: Peter van Dijk <peter@DATALOSS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010212194738.B55386@dataloss.nl>

On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
[snip]
> - Quick fix (diff output for crontab.c):
>
> 146c146
> <       strcpy(User, pw->pw_name);
> ---
>  >       strncpy(User, pw->pw_name, MAX_UNAME - 1);

Uhm, won't the user running crontab then get another user's crontab,
if the 'stripped' username actually exists?

Greetz, Peter.
(6086276) ------------------------------------------
6086279 2001-02-12 15:46 -0800  /28 rader/ Blake R. Swopes <bhodi@BIGFOOT.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13  05:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bhodi@BIGFOOT.COM
Mottagare: Bugtraq (import) <15403>
Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
From: "Blake R. Swopes" <bhodi@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <000401c0954e$00babe40$0300000a@TheWell.LAN>

Considering what overflows the buffer (your username), it would seem
that you'd need root access to begin with in order to craft an
exploit. Am I wrong?

Of course, maybe this could be some exotic new addition to a rootkit.

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
> Flatline
> Sent: Saturday, February 10, 2001 3:38 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: vixie cron possible local root compromise
>
>
> - Introduction:
>
> Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow
> vulnerability.
> I'm not sure whether it's exploitable or not, it needs to be
> fixed however.
>
>
(6086279) --------------------------------(Ombruten)
6086300 2001-02-13 00:04 +0200  /42 rader/ Valentin Nechayev <netch@IV.NN.KIEV.UA>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13  06:31  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: netch@netch.kiev.ua
Mottagare: Bugtraq (import) <15406>
Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
From: Valentin Nechayev <netch@IV.NN.KIEV.UA>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010213000433.B348@iv.nn.kiev.ua>

 Sun, Feb 11, 2001 at 00:38:02, achter05 (Flatline) wrote about
"vixie cron possible local root compromise":

> 146c146
> <       strcpy(User, pw->pw_name);
> ---
>  >       strncpy(User, pw->pw_name, MAX_UNAME - 1);
>
> Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch
> has been released,
> just to be on the safe side.

I think your fix is too dirty because it can lead crontab to ruin
data of another user which name is shortened name of caller. It is
better for tool to segfault instead of using incorrectly shortened
name. Best with fixed buffer is to test username size before copying:

	if( strlen(pw->pw_name) >= sizeof User ) {
		fprintf( stderr, "crontab: fatal: username too long\n" );
		exit( 1 );
	}

But, in FreeBSD (I use 5.0-CURRENT) this code already contains strncpy
similar to your:

=== cut src/usr.sbin/cron/crontab/crontab.c ===
        if (!(pw = getpwuid(getuid())))
                errx(ERROR_EXIT, "your UID isn't in the passwd file, bailing out");
        (void) strncpy(User, pw->pw_name, (sizeof User)-1);
        User[(sizeof User)-1] = '\0';
        strcpy(RealUser, User);
=== end cut ===

and I think it should be also corrected to reject too long usernames.


/netch
(6086300) --------------------------------(Ombruten)
6091606 2001-02-12 19:42 -0800  /18 rader/ Kris Kennaway <kris@OBSECURITY.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-13  22:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@OBSECURITY.ORG
Mottagare: Bugtraq (import) <15414>
Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:

> the login name is stored in a 20 byte buffer using the strcpy() function
> (which does no bounds checking). 'useradd' (the utility used to add users
> to the system)
> however allows usernames of over 20 characters (32 at most on my distribution).
> 
> Therefore, running crontab as a user whose login name exceeds 20 characters
> crashes it.

I don't see any real-world scenarios where this would be exploitable -
usernames must be set by the administrator.  Even in the case of
e.g. a hostile NIS server, the NIS server can probably just add an
account with uid 0 and log in to the client with root privileges.

Kris
(6091606) ------------------------------------------
Bilaga (application/pgp-signature) i text 6091607
6092262 2001-02-12 23:18 -0500  /23 rader/ Andrew Brown <atatat@ATATDOT.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-14  01:25  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bugtraq@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <15428>
Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
From: Andrew Brown <atatat@ATATDOT.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010212231804.A25742@noc.untraceable.net>

>When crontab has determined the name of the user calling crontab (using
>getpwuid()),
>the login name is stored in a 20 byte buffer using the strcpy() function
>(which does no bounds checking). 'useradd' (the utility used to add users
>to the system)
>however allows usernames of over 20 characters (32 at most on my distribution).

i can see how this is an "issue", but don't you already have to be
root to get a user name longer than 20 characters?  or are you just
assuming that some admins out there will fail to balk at such a
strange request?

--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."
(6092262) ------------------------------------------
Kommentar i text 6092379 av Alfred Perlstein <bright@WINTELCOM.NET>
6092379 2001-02-13 15:00 -0800  /27 rader/ Alfred Perlstein <bright@WINTELCOM.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-14  04:56  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bright@WINTELCOM.NET
Mottagare: Bugtraq (import) <15439>
Kommentar till text 6092262 av Andrew Brown <atatat@ATATDOT.NET>
Ärende: Re: vixie cron possible local root compromise
------------------------------------------------------------
From: Alfred Perlstein <bright@WINTELCOM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010213150023.W3274@fw.wintelcom.net>

* Andrew Brown <atatat@ATATDOT.NET> [010213 14:38] wrote:
> >When crontab has determined the name of the user calling crontab (using
> >getpwuid()),
> >the login name is stored in a 20 byte buffer using the strcpy() function
> >(which does no bounds checking). 'useradd' (the utility used to add users
> >to the system)
> >however allows usernames of over 20 characters (32 at most on my distribution).
>
> i can see how this is an "issue", but don't you already have to be
> root to get a user name longer than 20 characters?  or are you just
> assuming that some admins out there will fail to balk at such a
> strange request?

I vaguely remeber some packages that allow non-root users to add
other non-root users, if the wrapper script/program isn't careful
about limiting the username someone trusted to do account additions
may gain root if this is exploitable.

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
(6092379) ------------------------------------------
6092290 2001-02-13 20:52 +0100  /46 rader/ Mark van Reijn <mark@EDUP.TUDELFT.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-14  01:50  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mark@EDUP.TUDELFT.NL
Mottagare: Bugtraq (import) <15430>
Ärende: Re: [2]  vixie cron possible local root compromise
------------------------------------------------------------
From: Mark van Reijn <mark@EDUP.TUDELFT.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <MWMail.aqinmttj@host.none>

You are so right!! Must have been very late or something...  I've
checked whether it actually works...nope!  Crontab doesn't get more
than 20 chars but somehow it copies them twice?  Strange

Mark

Mate Wierdl <mw@thales.memphis.edu> wrote on 13-2-01 18:23:10:
>
>On Mon, Feb 12, 2001 at 10:14:00PM +0100, Mark van Reijn wrote:
>> Hmm, doesn't do anything weird/wrong on my RH6.2 server:
>>
>> [aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ crontab -e
>> no crontab for aaaaaaaaaabbbbbbbbbbaaaaaaaaaabbbbbbbbbbaaaaaaaaaab - using an empty
one
>
>I thought it is weird that you are aaaaaaaaaabbbbbbbbbbcccccccccc, and
>cron is talking about user
>
>aaaaaaaaaabbbbbbbbbbaaaaaaaaaabbbbbbbbbbaaaaaaaaaab
>
>On the other hand, on RH Linux 7.0 with vixie-cron-3.0.1-56, I get
>
>[abcabcabcabcabcabcabcabcabcabc@thales ~]$ crontab -e
>Segmentation fault
>
>
>Mate
>---
>Mate Wierdl | Dept. of Math. Sciences | University of Memphis


--
___________________________

Mark van Reijn
mark@edup.tudelft.nl
___________________________
"Because light travels faster than sound, most people appear to be intelligent,
  until you hear them speak"
(6092290) --------------------------------(Ombruten)