From owner-freebsd-bugs Mon Dec 16 06:58:12 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA10572 for bugs-outgoing; Mon, 16 Dec 1996 06:58:12 -0800 (PST) Received: from threadway.teeny.org (root@threadway.teeny.org [204.245.200.1]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id GAA10552; Mon, 16 Dec 1996 06:58:07 -0800 (PST) Received: from localhost (downsj@localhost.teeny.org [127.0.0.1]) by threadway.teeny.org (8.8.4/8.6.12) with ESMTP id GAA18590; Mon, 16 Dec 1996 06:57:13 -0800 (PST) Message-Id: <199612161457.GAA18590@threadway.teeny.org> X-Mailer: exmh version 1.6.5 12/11/95 To: Marc Slemko cc: Dmitry Valdov , freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole In-reply-to: Your message of "Mon, 16 Dec 1996 06:51:33 MST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Dec 1996 06:57:12 -0800 From: Jason Downs Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , Marc Slemko writes: >On Mon, 16 Dec 1996, Dmitry Valdov wrote: > >> Hello! >> >> Are there any fixes for crontab? I've exploit which allow any user to become >> root using crontab security hole. >> >> Dmitry. >> > >It was fixed in -stable the other day by pst. The patch, pulled >from the CVS tree, follows. Haven't any of you ever heard of a very simple and efficient non-stdio routine called, of all things, strncpy()? It's been around for, like, ever. >Index: cron/database.c >=================================================================== >RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v >retrieving revision 1.1.1.1 >retrieving revision 1.1.1.1.6.1 >diff -c -r1.1.1.1 -r1.1.1.1.6.1 >*** database.c 1994/08/27 13:43:03 1.1.1.1 >--- database.c 1996/12/15 20:37:47 1.1.1.1.6.1 >*************** >*** 112,119 **** > if (dp->d_name[0] == '.') > continue; > >! (void) strcpy(fname, dp->d_name); >! sprintf(tabname, CRON_TAB(fname)); > > process_crontab(fname, fname, tabname, > &statbuf, &new_db, old_db); >--- 112,119 ---- > if (dp->d_name[0] == '.') > continue; > >! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); >! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); > > process_crontab(fname, fname, tabname, > &statbuf, &new_db, old_db); >Index: crontab/crontab.c >=================================================================== >RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v >retrieving revision 1.3.4.1 >retrieving revision 1.3.4.2 >diff -c -r1.3.4.1 -r1.3.4.2 >*** crontab.c 1996/04/09 21:23:11 1.3.4.1 >--- crontab.c 1996/12/15 20:37:59 1.3.4.2 >*************** >*** 17,23 **** >*************** >*** 167,173 **** > ProgramName, optarg); > exit(ERROR_EXIT); > } >! (void) strcpy(User, optarg); > break; > case 'l': > if (Option != opt_unknown) >--- 167,173 ---- > ProgramName, optarg); > exit(ERROR_EXIT); > } >! (void) snprintf(User, sizeof(user), "%s", optarg); > break; > case 'l': > if (Option != opt_unknown) >*************** >*** 198,204 **** > } else { > if (argv[optind] != NULL) { > Option = opt_replace; >! (void) strcpy (Filename, argv[optind]); > } else { > usage("file name must be specified for replace"); > } >--- 198,205 ---- > } else { > if (argv[optind] != NULL) { > Option = opt_replace; >! (void) snprintf(Filename, sizeof(Filename), "%s", >! argv[optind]); > } else { > usage("file name must be specified for replace"); > } >*************** >*** 480,486 **** > ProgramName, Filename); > goto done; > default: >! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n"); > goto fatal; > } > remove: >--- 481,488 ---- > ProgramName, Filename); > goto done; > default: >! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n", >! ProgramName); > goto fatal; > } > remove: > > -- Jason Downs (503) 256-8535 -/- (503) 952-3749 downsj@teeny.org --> teeny.org: Free Software for a Free Internet <-- http://www.teeny.org/ This ain't no steeenking NetBSD. http://www.openbsd.org/