Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Apr 1995 03:52:08 -0500 (CDT)
From:      Mike Pritchard <pritc003@maroon.tc.umn.edu>
To:        ache@freefall.cdrom.com (Andrey A. Chernov)
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c bitstring.3 bitstring.h
Message-ID:  <199504140852.DAA00743@mpp.com>
In-Reply-To: <199504132058.NAA27172@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 13, 95 01:58:16 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
> ache        95/04/13 13:58:15
> 
>   Modified:    usr.sbin/cron/cron Makefile do_command.c
>   Removed:     usr.sbin/cron/cron bitstring.3 bitstring.h
>   Log:
>   Really fix MAILTO hole by parsing spaces.
>   Remove local bitstring copy

So far I haven't been able to get root with this fix in, but there are
still MAILTO related problems.  If I feed cron a MAILTO variable that
contains more than 100 arguments, it will core dump due to going past
the end of an array.  Someone might be able to expliot that
somehow.  For example:

MAILTO=a a a a a a a a ...and so on...arg101 arg102 arg103

I can also overrun the "mailcmd" buffer that the sendmail command + arguments 
is sprintfed into by having a 1000 character MAILTO variable.

Both of these are good examples of why suid root programs that work with
user supplied arguments should only accept arguments that conform to a 
strictly defined format.  Cron_popen() needs to be fixed to check that it 
isn't going past the end of the argument array to fix the above problem 
and do_command() should call snprintf() instead of sprintf() to prevent 
overruns of the mailcmd buffer.

There may be other ways to make cron blow up with a strange MAILTO
variable, but these are the first two I found without much work.

Again, changing cron to require that MAILTO only contain a valid local
user name avoids both of these problems.
-- 
Mike Pritchard
pritc003@maroon.tc.umn.edu
"Go that way.  Really fast.  If something gets in your way, turn"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504140852.DAA00743>