www/advisories/sni_02_cron.txt - view

Return to sni_02_cron.txt CVS log

Up to [local] / www / advisories

File: [local] / www / advisories / sni_02_cron.txt (download)

Revision 1.1, Tue Sep 28 21:11:36 1999 UTC (24 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: HEAD

x -> x.txt

Vulnerability in Vixie Cron
      Title: Vulnerability in Vixie Cron
      Date Issued: December 16, 1996
      Last Modified: December 16, 1996
      Code: SNI-02
      Source: Network Associates (was SNI)

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             December 16, 1996

                         Vulnerability in Vixie Cron

During September, we became aware of a vulnerability in Vixie Cron 2.1
which allows attackers to obtain root access.  It is recommended that
security conscious administrators apply the attached patch.

Technical Details
~~~~~~~~~~~~~~~~~
One of the many features of Vixie Cron 2.1 is that it allows users to
set environment variables in their crontab.  In parsing these environment
variables, in the form:
VARIABLE=VALUE
it uses the function sscanf on a 1000 byte buffer.  Unfortunately, Vixie
Cron 2.1 does no length checking of the variable name, and attempts to 
stuff it into a 100 byte buffer.  Thus, by creating a crontab file which
contains a variable with a name longer than 100 characters, it is possible
to overflow the buffer, and obtain root access.

Impact
~~~~~~
Users with a valid account, and permission to run cron jobs (via
cron.allow and cron.deny) can obtain root access.

Vulnerable Systems
~~~~~~~~~~~~~~~~~~
All systems incorporating Vixie Cron 2.1 without modifications,
including, but not limited to:
Redhat Linux
BSD/OS 2.x
OpenBSD 1.x
NetBSD 1.2
FreeBSD 2.1.5
Any system where the default cron was replaced with Vixie Cron

Fix Information
~~~~~~~~~~~~~~~
Increase the length of the buffer used by crontab to store the
environment variable name to 1000 bytes.  Since the buffer that sscanf
is reading can no longer than 1000 bytes, an increase in buffer
length is sufficient to fix the bug.

Apply the following patch to env.c, recompile cron and crontab, then
kill and restart cron.


*** env.old     Mon Dec 16 20:09:49 1996
--- env.c       Mon Dec 16 20:11:26 1996
***************
*** 95,101 ****
        char    *strcpy(), *sprintf();
        long    filepos;
        int     fileline;
!       char    name[MAX_TEMPSTR], val[MAX_ENVSTR];
        int     fields, strdtb();
        void    skip_comments();
  
--- 95,101 ----
        char    *strcpy(), *sprintf();
        long    filepos;
        int     fileline;
!       char    name[MAX_ENVSTR], val[MAX_ENVSTR];
        int     fields, strdtb();
        void    skip_comments();
  


Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

 You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
 and advisories at ftp://ftp.secnet.com/advisories

 You can browse our web site at http://www.secnet.com

 You can subscribe to our security advisory mailing list by sending mail to
 majordomo@secnet.com with the line "subscribe sni-advisories"