[19207] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Alan DeKok)
Tue Feb 13 23:11:17 2001
Message-ID: <200102132054.PAA09650@giles.striker.ottawa.on.ca>
Date: Tue, 13 Feb 2001 15:54:00 -0500
Reply-To: Alan DeKok <aland@GILES.STRIKER.OTTAWA.ON.CA>
From: Alan DeKok <aland@GILES.STRIKER.OTTAWA.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Mon, 12 Feb 2001 13:12:02 EST."
<20010212131202.C29928@eclipsed.net>
gabriel rosenkoetter <gr@ECLIPSED.NET> wrote:
> On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
> > When crontab has determined the name of the user calling crontab (using
> > getpwuid()),
> > the login name is stored in a 20 byte buffer using the strcpy() function
> > (which does no bounds checking).
This is obviously a problem.
> > 'useradd' (the utility used to add users to the system)
> > however allows usernames of over 20 characters (32 at most on my distribution).
> >
> > Therefore, running crontab as a user whose login name exceeds 20 characters
> > crashes it.
>
> Then your useradd is broken and doing improper bounds checking.
Nonsense. Some OS's *may* allow usernames longer than 8
characters. Applications which are broken on such systems are broken
applications.
There's a serious difference between an app saying "I can't handle
that username", and the app crashing and burning. Well behaved
applications are the cornerstone of security. Ill-behaved
applications are (almost by definition) insecure.
> I'm not sure why Vixie chose 20 characters, but it should be enough,
> since usernames longer than 8 characters should not be expected to
> behave properly. (They system won't know they're unique.) This is a
> POSIX thing, last I heard.
So? Does this mean that it's OK to write applications that have
buffer over-runs and security holes when run on systems other than
yours?
I find this attitude amazing. You don't understand why other people
would want to have usernames longer than 8 characters, so you're
willing to blame *their* systems for security problems when insecure
applications are executed on those systems.
Alan DeKok.
