[19185] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Andrew Brown)
Tue Feb 13 16:50:24 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: owner-bugtraq@SECURITYFOCUS.COM
Message-Id: <20010212231804.A25742@noc.untraceable.net>
Date: Mon, 12 Feb 2001 23:18:04 -0500
Reply-To: bugtraq@SECURITYFOCUS.COM
From: Andrew Brown <atatat@ATATDOT.NET>
X-To: Flatline <achter05@IE.HVA.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.2.20010211003607.00a627e8@pop3.lb.hva.nl>; from
achter05@IE.HVA.NL on Sun, Feb 11, 2001 at 12:38:02AM +0100
>When crontab has determined the name of the user calling crontab (using
>getpwuid()),
>the login name is stored in a 20 byte buffer using the strcpy() function
>(which does no bounds checking). 'useradd' (the utility used to add users
>to the system)
>however allows usernames of over 20 characters (32 at most on my distribution).
i can see how this is an "issue", but don't you already have to be
root to get a user name longer than 20 characters? or are you just
assuming that some admins out there will fail to balk at such a
strange request?
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."
