[3800] in bugtraq
Re: vixie-crontab for redhat linux
daemon@ATHENA.MIT.EDU (Erik Troan)
Mon Dec 16 11:42:33 1996
Date: Mon, 16 Dec 1996 10:44:01 -0500
Reply-To: Erik Troan <ewt@redhat.com>
From: Erik Troan <ewt@redhat.com>
X-To: "Dave G." <daveg@escape.com>, paul@vix.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.BSI.3.91.961215192038.25407A-100000@escape.com>
On Sun, 15 Dec 1996, Dave G. wrote:
> /* vixie crontab buffer overflow for RedHat Linux
> *
> * I dont think too many people know that redhat uses vixie crontab.
> * I didn't find this, just exploited it.
> *
> *
> * Dave G.
> * <daveg@escape.com>
> * http://www.escape.com/~daveg
> *
> *
> */
Here's a quick fix that lets crontab segv instead of buffer overflowing ;-)
I think I got all of the sprintf and strcpy buffer overflows. There are still
some attacks based on overruns on data read from /etc/passwd but those would
be difficult to exploit at best.
Comments?
Erik
--- vixie-cron-3.0.1/crontab.c.ewt Mon Dec 16 10:35:09 1996
+++ vixie-cron-3.0.1/crontab.c Mon Dec 16 10:42:21 1996
@@ -197,7 +197,9 @@
} else {
if (argv[optind] != NULL) {
Option = opt_replace;
- (void) strcpy (Filename, argv[optind]);
+ (void) strncpy (Filename, argv[optind],
+ sizeof(Filename - 1));
+ Filename[sizeof(Filename) - 1] = '\0';
} else {
usage("file name must be specified for replace");
}
@@ -246,7 +248,7 @@
int ch;
log_it(RealUser, Pid, "LIST", User);
- (void) sprintf(n, CRON_TAB(User));
+ (void) snprintf(n, sizeof(n), CRON_TAB(User));
if (!(f = fopen(n, "r"))) {
if (errno == ENOENT)
fprintf(stderr, "no crontab for %s\n", User);
@@ -269,7 +271,7 @@
char n[MAX_FNAME];
log_it(RealUser, Pid, "DELETE", User);
- (void) sprintf(n, CRON_TAB(User));
+ (void) snprintf(n, sizeof(n), CRON_TAB(User));
if (unlink(n)) {
if (errno == ENOENT)
fprintf(stderr, "no crontab for %s\n", User);
@@ -301,7 +303,7 @@
PID_T pid, xpid;
log_it(RealUser, Pid, "BEGIN EDIT", User);
- (void) sprintf(n, CRON_TAB(User));
+ (void) snprintf(n, sizeof(n), CRON_TAB(User));
if (!(f = fopen(n, "r"))) {
if (errno != ENOENT) {
perror(n);
@@ -497,7 +499,7 @@
char **envp = env_init();
(void) sprintf(n, "tmp.%d", Pid);
- (void) sprintf(tn, CRON_TAB(n));
+ (void) snprintf(tn, sizeof(tn), CRON_TAB(n));
if (!(tmp = fopen(tn, "w+"))) {
perror(tn);
return (-2);
@@ -585,7 +587,7 @@
return (-2);
}
- (void) sprintf(n, CRON_TAB(User));
+ (void) snprintf(n, sizeof(n), CRON_TAB(User));
if (rename(tn, n)) {
fprintf(stderr, "%s: error renaming %s to %s\n",
ProgramName, tn, n);
