[19182] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Tue Feb 13 16:06:43 2001
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2"
Content-Disposition: inline
Message-ID: <20010212194257.A43552@mollari.cthul.hu>
Date: Mon, 12 Feb 2001 19:42:57 -0800
Reply-To: Kris Kennaway <kris@OBSECURITY.ORG>
From: Kris Kennaway <kris@OBSECURITY.ORG>
X-To: Flatline <achter05@IE.HVA.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.2.20010211003607.00a627e8@pop3.lb.hva.nl>; from
achter05@IE.HVA.NL on Sun, Feb 11, 2001 at 12:38:02AM +0100
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
> the login name is stored in a 20 byte buffer using the strcpy() function
> (which does no bounds checking). 'useradd' (the utility used to add users
> to the system)
> however allows usernames of over 20 characters (32 at most on my distribu=
tion).
>=20
> Therefore, running crontab as a user whose login name exceeds 20 characte=
rs
> crashes it.
I don't see any real-world scenarios where this would be exploitable -
usernames must be set by the administrator. Even in the case of
e.g. a hostile NIS server, the NIS server can probably just add an
account with uid 0 and log in to the client with root privileges.
Kris
--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6iK1AWry0BWjoQKURAmX4AJoCs9m2gSg/okWO+YcwWoVyxVmikgCfY76l
NWRq8BSbdy7L3avOktME25o=
=qPWL
-----END PGP SIGNATURE-----
--UlVJffcvxoiEqYs2--
