TUCoPS :: Unix :: General :: vixie96.txt

SNI Security Advisory - Vulnerability in Vixie cron (96/12/16)


			######    ##   ##    ######
			##        ###  ##      ##
			######    ## # ##      ##
			    ##    ##  ###      ##
			###### .  ##   ## .  ######.

			    Secure Networks Inc.

			     Security Advisory
			     December 16, 1996

			 Vulnerability in Vixie Cron

During September, we became aware of a vulnerability in Vixie Cron 2.1
which allows attackers to obtain root access.  It is recommended that
security conscious administrators apply the attached patch.

Technical Details
~~~~~~~~~~~~~~~~~
One of the many features of Vixie Cron 2.1 is that it allows users to
set environment variables in their crontab.  In parsing these environment
variables, in the form:
VARIABLE=VALUE
it uses the function sscanf on a 1000 byte buffer.  Unfortunately, Vixie
Cron 2.1 does no length checking of the variable name, and attempts to 
stuff it into a 100 byte buffer.  Thus, by creating a crontab file which
contains a variable with a name longer than 100 characters, it is possible
to overflow the buffer, and obtain root access.

Impact
~~~~~~
Users with a valid account, and permission to run cron jobs (via
cron.allow and cron.deny) can obtain root access.

Vulnerable Systems
~~~~~~~~~~~~~~~~~~
All systems incorporating Vixie Cron 2.1 without modifications,
including, but not limited to:
Redhat Linux
BSD/OS 2.x
OpenBSD 1.x
NetBSD 1.2
FreeBSD 2.1.5
Any system where the default cron was replaced with Vixie Cron

Fix Information
~~~~~~~~~~~~~~~
Increase the length of the buffer used by crontab to store the
environment variable name to 1000 bytes.  Since the buffer that sscanf
is reading can no longer than 1000 bytes, an increase in buffer
length is sufficient to fix the bug.

Apply the following patch to env.c, recompile cron and crontab, then
kill and restart cron.


*** env.old     Mon Dec 16 20:09:49 1996
--- env.c       Mon Dec 16 20:11:26 1996
***************
*** 95,101 ****
	char    *strcpy(), *sprintf();
	long    filepos;
	int     fileline;
!       char    name[MAX_TEMPSTR], val[MAX_ENVSTR];
	int     fields, strdtb();
	void    skip_comments();
  
--- 95,101 ----
	char    *strcpy(), *sprintf();
	long    filepos;
	int     fileline;
!       char    name[MAX_ENVSTR], val[MAX_ENVSTR];
	int     fields, strdtb();
	void    skip_comments();
  


Copyright
~~~~~~~~~
The contents of this advisory are Copyright (c) 1996 Secure Networks Inc,
and may be freely reproduced provided that no fee is charged for
reproduction and proper credit is given.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH