Vulnerability in Vixie Cron
Title: Vulnerability in Vixie Cron
Date Issued: December 16, 1996
Last Modified: December 16, 1996
Code: SNI-02
Source: Network Associates (was SNI)
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
December 16, 1996
Vulnerability in Vixie Cron
During September, we became aware of a vulnerability in Vixie Cron 2.1
which allows attackers to obtain root access. It is recommended that
security conscious administrators apply the attached patch.
Technical Details
~~~~~~~~~~~~~~~~~
One of the many features of Vixie Cron 2.1 is that it allows users to
set environment variables in their crontab. In parsing these environment
variables, in the form:
VARIABLE=VALUE
it uses the function sscanf on a 1000 byte buffer. Unfortunately, Vixie
Cron 2.1 does no length checking of the variable name, and attempts to
stuff it into a 100 byte buffer. Thus, by creating a crontab file which
contains a variable with a name longer than 100 characters, it is possible
to overflow the buffer, and obtain root access.
Impact
~~~~~~
Users with a valid account, and permission to run cron jobs (via
cron.allow and cron.deny) can obtain root access.
Vulnerable Systems
~~~~~~~~~~~~~~~~~~
All systems incorporating Vixie Cron 2.1 without modifications,
including, but not limited to:
Redhat Linux
BSD/OS 2.x
OpenBSD 1.x
NetBSD 1.2
FreeBSD 2.1.5
Any system where the default cron was replaced with Vixie Cron
Fix Information
~~~~~~~~~~~~~~~
Increase the length of the buffer used by crontab to store the
environment variable name to 1000 bytes. Since the buffer that sscanf
is reading can no longer than 1000 bytes, an increase in buffer
length is sufficient to fix the bug.
Apply the following patch to env.c, recompile cron and crontab, then
kill and restart cron.
*** env.old Mon Dec 16 20:09:49 1996
--- env.c Mon Dec 16 20:11:26 1996
***************
*** 95,101 ****
char *strcpy(), *sprintf();
long filepos;
int fileline;
! char name[MAX_TEMPSTR], val[MAX_ENVSTR];
int fields, strdtb();
void skip_comments();
--- 95,101 ----
char *strcpy(), *sprintf();
long filepos;
int fileline;
! char name[MAX_ENVSTR], val[MAX_ENVSTR];
int fields, strdtb();
void skip_comments();
Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories
You can browse our web site at http://www.secnet.com
You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"