[19208] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Rodrigo Barbosa (aka morcego))
Tue Feb 13 23:12:46 2001
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="h56sxpGKRmy85csR"
Content-Disposition: inline
Message-Id: <20010213222714.E2369@conectiva.com.br>
Date: Tue, 13 Feb 2001 22:27:14 -0200
Reply-To: "Rodrigo Barbosa (aka morcego)" <rodrigob@CONECTIVA.COM.BR>
From: "Rodrigo Barbosa (aka morcego)" <rodrigob@CONECTIVA.COM.BR>
X-To: gabriel rosenkoetter <gr@ECLIPSED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010212131202.C29928@eclipsed.net>; from gr@ECLIPSED.NET on
Mon, Feb 12, 2001 at 01:12:02PM -0500
--h56sxpGKRmy85csR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Feb 12, 2001 at 01:12:02PM -0500, gabriel rosenkoetter wrote:
> On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
> > When crontab has determined the name of the user calling crontab (using
> > getpwuid()),
> > the login name is stored in a 20 byte buffer using the strcpy() function
> > (which does no bounds checking). 'useradd' (the utility used to add use=
rs
> > to the system)
> > however allows usernames of over 20 characters (32 at most on my distri=
bution).
> >
> > Therefore, running crontab as a user whose login name exceeds 20 charac=
ters
> > crashes it.
>=20
> Then your useradd is broken and doing improper bounds checking.
>=20
> I'm not sure why Vixie chose 20 characters, but it should be enough,
> since usernames longer than 8 characters should not be expected to
> behave properly. (They system won't know they're unique.) This is a
> POSIX thing, last I heard.
Hummm, not exactly. Last time I checked, there where lots of systems that
allowed usernames to be 32 chars long.=20
GLIBC implementation (at least on version 2.2 and 2.1.3 from cvs) allow it.
Quick check:
#include <wtmpx.h>
main () {
printf("%d\n",__UT_NAMESIZE);
}
or, if your system does not have wtmpx.h
#include <wtmp.h>
main () {
printf("%d\n",UT_NAMESIZE);
}
If anyone can find any system that reports less then 32, it will be an exce=
ption
of the rule. Of course I mean current systems. libc5 systems, AIX 3.2 and o=
ld
systems like that will probably return 16 or even 8.
[]s
--=20
Rodrigo Barbosa (morcego) - rodrigob at conectiva.com.br
Conectiva R&D Team - http://distro.conectiva.com.br
"Quis custodiet ipsos custodiet?" - http://www.conectiva.com
--h56sxpGKRmy85csR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6idDin5NdOMMM/nERAncWAKCsWHnjrwknxS1dxFIWALUoyVsdkgCgmi0F
Tjejk7lBxwgj70JFzB7o+ts=
=PIPr
-----END PGP SIGNATURE-----
--h56sxpGKRmy85csR--
