Vulnerability

    cron

Affected

    cron 3.0.pl1-63

Description

    Matthew   Toseland   found   following.    This   appears   to  be
    debian-specific.   How to  exploit, other  than DoS  attacks/quota
    bypass?  What does /var/run/crond.reboot do?

    Matthew  have  discovered  a  problem  with  the cron 3.0pl1-63 in
    woody.  It does not close /var/run/crond.reboot when it forks  and
    setuids.  So   any  user   who  has   a  crontab   can  write   to
    /var/run/crond.reboot, which is created with permissions 0000  and
    user/group root/root.   This may  or may  not be  exploitable  for
    elevated  privelidge,  but  at  the  very  least  could be a quota
    violation or similar, leading to local DoS of the /var filesystem,
    hence disabling logging, mail, restarting of system daemons...  on
    most  systems.   Note  that  this   only  works  if  there  is   a
    /var/run/crond.reboot.  Sample code:

    #include <stdio.h>
    #include <unistd.h>
    
    void main()
    {
       char* p = "hahahahahahahahahahahahahahahahahahahaha\n";
       int x = strlen(p);
       write(6,p,x-1);
       close(6);
    }

    Compile and insert into your crontab.  DoS variant is obvious.

Solution

    BTW, is fixed now and appears to be debian-specific.