Date: Mon, 16 Dec 1996 06:57:12 -0800 From: Jason Downs <downsj@teeny.org> To: Marc Slemko <marcs@znep.com> Cc: Dmitry Valdov <dv@kis.ru>, freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole Message-ID: <199612161457.GAA18590@threadway.teeny.org> In-Reply-To: Your message of "Mon, 16 Dec 1996 06:51:33 MST." <Pine.BSF.3.95.961216064624.7792B-100000@alive.ampr.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.95.961216064624.7792B-100000@alive.ampr.ab.ca>,
Marc Slemko writes:
>On Mon, 16 Dec 1996, Dmitry Valdov wrote:
>
>> Hello!
>>
>> Are there any fixes for crontab? I've exploit which allow any user to become
>> root using crontab security hole.
>>
>> Dmitry.
>>
>
>It was fixed in -stable the other day by pst. The patch, pulled
>from the CVS tree, follows.
Haven't any of you ever heard of a very simple and efficient non-stdio
routine called, of all things, strncpy()?
It's been around for, like, ever.
>Index: cron/database.c
>===================================================================
>RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v
>retrieving revision 1.1.1.1
>retrieving revision 1.1.1.1.6.1
>diff -c -r1.1.1.1 -r1.1.1.1.6.1
>*** database.c 1994/08/27 13:43:03 1.1.1.1
>--- database.c 1996/12/15 20:37:47 1.1.1.1.6.1
>***************
>*** 112,119 ****
> if (dp->d_name[0] == '.')
> continue;
>
>! (void) strcpy(fname, dp->d_name);
>! sprintf(tabname, CRON_TAB(fname));
>
> process_crontab(fname, fname, tabname,
> &statbuf, &new_db, old_db);
>--- 112,119 ----
> if (dp->d_name[0] == '.')
> continue;
>
>! (void)snprintf(fname, sizeof fname, "%s", dp->d_name);
>! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname));
>
> process_crontab(fname, fname, tabname,
> &statbuf, &new_db, old_db);
>Index: crontab/crontab.c
>===================================================================
>RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v
>retrieving revision 1.3.4.1
>retrieving revision 1.3.4.2
>diff -c -r1.3.4.1 -r1.3.4.2
>*** crontab.c 1996/04/09 21:23:11 1.3.4.1
>--- crontab.c 1996/12/15 20:37:59 1.3.4.2
>***************
>*** 17,23 ****
>***************
>*** 167,173 ****
> ProgramName, optarg);
> exit(ERROR_EXIT);
> }
>! (void) strcpy(User, optarg);
> break;
> case 'l':
> if (Option != opt_unknown)
>--- 167,173 ----
> ProgramName, optarg);
> exit(ERROR_EXIT);
> }
>! (void) snprintf(User, sizeof(user), "%s", optarg);
> break;
> case 'l':
> if (Option != opt_unknown)
>***************
>*** 198,204 ****
> } else {
> if (argv[optind] != NULL) {
> Option = opt_replace;
>! (void) strcpy (Filename, argv[optind]);
> } else {
> usage("file name must be specified for replace");
> }
>--- 198,205 ----
> } else {
> if (argv[optind] != NULL) {
> Option = opt_replace;
>! (void) snprintf(Filename, sizeof(Filename), "%s",
>! argv[optind]);
> } else {
> usage("file name must be specified for replace");
> }
>***************
>*** 480,486 ****
> ProgramName, Filename);
> goto done;
> default:
>! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n");
> goto fatal;
> }
> remove:
>--- 481,488 ----
> ProgramName, Filename);
> goto done;
> default:
>! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n",
>! ProgramName);
> goto fatal;
> }
> remove:
>
>
--
Jason Downs (503) 256-8535 -/- (503) 952-3749
downsj@teeny.org --> teeny.org: Free Software for a Free Internet <--
http://www.teeny.org/
This ain't no steeenking NetBSD. http://www.openbsd.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612161457.GAA18590>