Date: Sun, 2 Jan 2000 21:21:51 +0100 (MET) From: Ole Pahl <op@pahl.net> To: bugtraq@securityfocus.com, submission@rootshell.com, cert@cert.org, cert@cert.dfn.de, freebsd-bugs@freebsd.org, info@suse.de, paul@vix.com, info@vix.com Subject: Bug in recent versions of Vixie cron Message-ID: <Pine.LNX.4.05.10001022010080.12566-100000@muschel.global-phun.net>
next in thread | raw e-mail | index | archive | help
Hi, I've just discovered a bug in Vixie cron allowing local users with access to their own crontabs to gain root access. Sendmail is called as root, thus allowing users to specify the -C option causing Sendmail to use a user-specified configuration file: MAILTO='-C/home/someuser/sendmail.cf someuser' * * * * * /bin/non-existent-binary-causing-error-message By configuring Sendmail to use a pipe command executed with UID 0 for local mail delivery, arbitrary commands can be executed as root. This problem seems to be present in current versions of Vixie cron, e.g. those used in operating systems like FreeBSD 3.4-RC as well as certain Linux distributions such as SuSE Linux 6.2. This message has been sent to Paul Vixie as well, so I guess a patch fixing this issue will be available soon. Full exploits seem to be available, but don't ask me to send you one. As this problem is not related to a buffer overflow condition, having a non-executable stack won't help you. Temporary solution: Disable crontab access for non-root users. Regards, Ole Pahl -- Ole Pahl <op@pahl.net> Hamburg / Germany Fon: +49 40 7807 2601 PAHL.NET Network Solutions Mail: info@pahl.net Fax: +49 40 7807 2602 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.10001022010080.12566-100000>