6084459 2001-02-11 00:38 +0100 /78 rader/ Flatline <achter05@IE.HVA.NL> Sänt av: joel@lysator.liu.se Importerad: 2001-02-12 19:50 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: achter05@IE.HVA.NL Mottagare: Bugtraq (import) <15358> Ärende: vixie cron possible local root compromise ------------------------------------------------------------ From: Flatline <achter05@IE.HVA.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <5.0.2.1.2.20010211003607.00a627e8@pop3.lb.hva.nl> - Introduction: Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow vulnerability. I'm not sure whether it's exploitable or not, it needs to be fixed however. - Platforms: I've only tested it under Red Hat linux 7.0 which uses version 3.0.1-56, although this condition almost certainly affects all systems running this crontab. - Description: When crontab has determined the name of the user calling crontab (using getpwuid()), the login name is stored in a 20 byte buffer using the strcpy() function (which does no bounds checking). 'useradd' (the utility used to add users to the system) however allows usernames of over 20 characters (32 at most on my distribution). Therefore, running crontab as a user whose login name exceeds 20 characters crashes it. Example: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ crontab Segmentation fault [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@testgrounds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]$ Where 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' is a valid user. - Problematic code: in crontab.c, function 'parse_args': <snip> if (!(pw = getpwuid(getuid()))) { fprintf(stderr, "%s: your UID isn't in the passwd file.\n", ProgramName); fprintf(stderr, "bailing out.\n"); exit(ERROR_EXIT); } >> strcpy(User, pw->pw_name); <snip> - Quick fix (diff output for crontab.c): 146c146 < strcpy(User, pw->pw_name); --- > strncpy(User, pw->pw_name, MAX_UNAME - 1); Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch has been released, just to be on the safe side. - Vendor status: Has been notified, awaiting patch. - Found by: flatline (achter05@ie.hva.nl). Shouts go out to xperience, 84/tcp and #darknet. (6084459) --------------------------------(Ombruten) 6086273 2001-02-12 22:14 +0100 /32 rader/ Mark van Reijn <mark@EDUP.TUDELFT.NL> Sänt av: joel@lysator.liu.se Importerad: 2001-02-13 05:39 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mark@EDUP.TUDELFT.NL Mottagare: Bugtraq (import) <15401> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ From: Mark van Reijn <mark@EDUP.TUDELFT.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <MWMail.qictdfos@host.none> Hmm, doesn't do anything weird/wrong on my RH6.2 server: [aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ crontab -e no crontab for aaaaaaaaaabbbbbbbbbbaaaaaaaaaabbbbbbbbbbaaaaaaaaaab - using an empty one crontab: installing new crontab [aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ crontab crontab: usage error: file name must be specified for replace usage: crontab [-u user] file crontab [-u user] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) [aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ It runs vixie-cron-3.0.1-40... Mark -- ___________________________ Mark van Reijn mark@edup.tudelft.nl ___________________________ "Because light travels faster than sound, most people appear to be intelligent, until you hear them speak" (6086273) ------------------------------------------ 6086276 2001-02-12 19:47 +0100 /19 rader/ Peter van Dijk <peter@DATALOSS.NL> Sänt av: joel@lysator.liu.se Importerad: 2001-02-13 05:44 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: peter@DATALOSS.NL Mottagare: Bugtraq (import) <15402> Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ From: Peter van Dijk <peter@DATALOSS.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010212194738.B55386@dataloss.nl> On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: [snip] > - Quick fix (diff output for crontab.c): > > 146c146 > < strcpy(User, pw->pw_name); > --- > > strncpy(User, pw->pw_name, MAX_UNAME - 1); Uhm, won't the user running crontab then get another user's crontab, if the 'stripped' username actually exists? Greetz, Peter. (6086276) ------------------------------------------ 6086279 2001-02-12 15:46 -0800 /28 rader/ Blake R. Swopes <bhodi@BIGFOOT.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-13 05:47 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: bhodi@BIGFOOT.COM Mottagare: Bugtraq (import) <15403> Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ From: "Blake R. Swopes" <bhodi@BIGFOOT.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <000401c0954e$00babe40$0300000a@TheWell.LAN> Considering what overflows the buffer (your username), it would seem that you'd need root access to begin with in order to craft an exploit. Am I wrong? Of course, maybe this could be some exotic new addition to a rootkit. > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of > Flatline > Sent: Saturday, February 10, 2001 3:38 PM > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: vixie cron possible local root compromise > > > - Introduction: > > Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow > vulnerability. > I'm not sure whether it's exploitable or not, it needs to be > fixed however. > > (6086279) --------------------------------(Ombruten) 6086300 2001-02-13 00:04 +0200 /42 rader/ Valentin Nechayev <netch@IV.NN.KIEV.UA> Sänt av: joel@lysator.liu.se Importerad: 2001-02-13 06:31 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: netch@netch.kiev.ua Mottagare: Bugtraq (import) <15406> Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ From: Valentin Nechayev <netch@IV.NN.KIEV.UA> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010213000433.B348@iv.nn.kiev.ua> Sun, Feb 11, 2001 at 00:38:02, achter05 (Flatline) wrote about "vixie cron possible local root compromise": > 146c146 > < strcpy(User, pw->pw_name); > --- > > strncpy(User, pw->pw_name, MAX_UNAME - 1); > > Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch > has been released, > just to be on the safe side. I think your fix is too dirty because it can lead crontab to ruin data of another user which name is shortened name of caller. It is better for tool to segfault instead of using incorrectly shortened name. Best with fixed buffer is to test username size before copying: if( strlen(pw->pw_name) >= sizeof User ) { fprintf( stderr, "crontab: fatal: username too long\n" ); exit( 1 ); } But, in FreeBSD (I use 5.0-CURRENT) this code already contains strncpy similar to your: === cut src/usr.sbin/cron/crontab/crontab.c === if (!(pw = getpwuid(getuid()))) errx(ERROR_EXIT, "your UID isn't in the passwd file, bailing out"); (void) strncpy(User, pw->pw_name, (sizeof User)-1); User[(sizeof User)-1] = '\0'; strcpy(RealUser, User); === end cut === and I think it should be also corrected to reject too long usernames. /netch (6086300) --------------------------------(Ombruten) 6091606 2001-02-12 19:42 -0800 /18 rader/ Kris Kennaway <kris@OBSECURITY.ORG> Sänt av: joel@lysator.liu.se Importerad: 2001-02-13 22:47 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: kris@OBSECURITY.ORG Mottagare: Bugtraq (import) <15414> Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: > the login name is stored in a 20 byte buffer using the strcpy() function > (which does no bounds checking). 'useradd' (the utility used to add users > to the system) > however allows usernames of over 20 characters (32 at most on my distribution). > > Therefore, running crontab as a user whose login name exceeds 20 characters > crashes it. I don't see any real-world scenarios where this would be exploitable - usernames must be set by the administrator. Even in the case of e.g. a hostile NIS server, the NIS server can probably just add an account with uid 0 and log in to the client with root privileges. Kris (6091606) ------------------------------------------ Bilaga (application/pgp-signature) i text 6091607 6092262 2001-02-12 23:18 -0500 /23 rader/ Andrew Brown <atatat@ATATDOT.NET> Sänt av: joel@lysator.liu.se Importerad: 2001-02-14 01:25 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: bugtraq@SECURITYFOCUS.COM Mottagare: Bugtraq (import) <15428> Kommentar till text 6084459 av Flatline <achter05@IE.HVA.NL> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ From: Andrew Brown <atatat@ATATDOT.NET> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010212231804.A25742@noc.untraceable.net> >When crontab has determined the name of the user calling crontab (using >getpwuid()), >the login name is stored in a 20 byte buffer using the strcpy() function >(which does no bounds checking). 'useradd' (the utility used to add users >to the system) >however allows usernames of over 20 characters (32 at most on my distribution). i can see how this is an "issue", but don't you already have to be root to get a user name longer than 20 characters? or are you just assuming that some admins out there will fail to balk at such a strange request? -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth." (6092262) ------------------------------------------ Kommentar i text 6092379 av Alfred Perlstein <bright@WINTELCOM.NET> 6092379 2001-02-13 15:00 -0800 /27 rader/ Alfred Perlstein <bright@WINTELCOM.NET> Sänt av: joel@lysator.liu.se Importerad: 2001-02-14 04:56 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: bright@WINTELCOM.NET Mottagare: Bugtraq (import) <15439> Kommentar till text 6092262 av Andrew Brown <atatat@ATATDOT.NET> Ärende: Re: vixie cron possible local root compromise ------------------------------------------------------------ From: Alfred Perlstein <bright@WINTELCOM.NET> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010213150023.W3274@fw.wintelcom.net> * Andrew Brown <atatat@ATATDOT.NET> [010213 14:38] wrote: > >When crontab has determined the name of the user calling crontab (using > >getpwuid()), > >the login name is stored in a 20 byte buffer using the strcpy() function > >(which does no bounds checking). 'useradd' (the utility used to add users > >to the system) > >however allows usernames of over 20 characters (32 at most on my distribution). > > i can see how this is an "issue", but don't you already have to be > root to get a user name longer than 20 characters? or are you just > assuming that some admins out there will fail to balk at such a > strange request? I vaguely remeber some packages that allow non-root users to add other non-root users, if the wrapper script/program isn't careful about limiting the username someone trusted to do account additions may gain root if this is exploitable. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." (6092379) ------------------------------------------ 6092290 2001-02-13 20:52 +0100 /46 rader/ Mark van Reijn <mark@EDUP.TUDELFT.NL> Sänt av: joel@lysator.liu.se Importerad: 2001-02-14 01:50 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mark@EDUP.TUDELFT.NL Mottagare: Bugtraq (import) <15430> Ärende: Re: [2] vixie cron possible local root compromise ------------------------------------------------------------ From: Mark van Reijn <mark@EDUP.TUDELFT.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <MWMail.aqinmttj@host.none> You are so right!! Must have been very late or something... I've checked whether it actually works...nope! Crontab doesn't get more than 20 chars but somehow it copies them twice? Strange Mark Mate Wierdl <mw@thales.memphis.edu> wrote on 13-2-01 18:23:10: > >On Mon, Feb 12, 2001 at 10:14:00PM +0100, Mark van Reijn wrote: >> Hmm, doesn't do anything weird/wrong on my RH6.2 server: >> >> [aaaaaaaaaabbbbbbbbbbcccccccccc@obelix mark]$ crontab -e >> no crontab for aaaaaaaaaabbbbbbbbbbaaaaaaaaaabbbbbbbbbbaaaaaaaaaab - using an empty one > >I thought it is weird that you are aaaaaaaaaabbbbbbbbbbcccccccccc, and >cron is talking about user > >aaaaaaaaaabbbbbbbbbbaaaaaaaaaabbbbbbbbbbaaaaaaaaaab > >On the other hand, on RH Linux 7.0 with vixie-cron-3.0.1-56, I get > >[abcabcabcabcabcabcabcabcabcabc@thales ~]$ crontab -e >Segmentation fault > > >Mate >--- >Mate Wierdl | Dept. of Math. Sciences | University of Memphis -- ___________________________ Mark van Reijn mark@edup.tudelft.nl ___________________________ "Because light travels faster than sound, most people appear to be intelligent, until you hear them speak" (6092290) --------------------------------(Ombruten)