[19210] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Alfred Perlstein)
Tue Feb 13 23:45:20 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010213150023.W3274@fw.wintelcom.net>
Date: Tue, 13 Feb 2001 15:00:23 -0800
Reply-To: Alfred Perlstein <bright@WINTELCOM.NET>
From: Alfred Perlstein <bright@WINTELCOM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010212231804.A25742@noc.untraceable.net>; from
atatat@ATATDOT.NET on Mon, Feb 12, 2001 at 11:18:04PM -0500
* Andrew Brown <atatat@ATATDOT.NET> [010213 14:38] wrote:
> >When crontab has determined the name of the user calling crontab (using
> >getpwuid()),
> >the login name is stored in a 20 byte buffer using the strcpy() function
> >(which does no bounds checking). 'useradd' (the utility used to add users
> >to the system)
> >however allows usernames of over 20 characters (32 at most on my distribution).
>
> i can see how this is an "issue", but don't you already have to be
> root to get a user name longer than 20 characters? or are you just
> assuming that some admins out there will fail to balk at such a
> strange request?
I vaguely remeber some packages that allow non-root users to add
other non-root users, if the wrapper script/program isn't careful
about limiting the username someone trusted to do account additions
may gain root if this is exploitable.
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
