Bugtraq mailing list archives
Re: vixiecron.
From: irvdwijk () cs vu nl (irvdwijk () cs vu nl)
Date: Fri, 5 Aug 1994 16:17:18 +0200 (MET DST)
Cor wrote
One of the bugs I found and reported to Vixie about a year ago regarding his vixiecron, was that you could do the following: MAILTO="whatever; /bin/cp /bin/sh /tmp; chmod 4777 /tmp/sh" He fixed this, and with it introduced a new bug we also reported. I can't really remember the details, but it had something to do with a temporary file he was using, that you could predict, and thus link to /etc/master.passwd or something.
I heard that there were three mayor security holes in previous versions of VixieCron. Two of them I know, the one you cor described (with MAILTO) and the one using the '-r' switch: crontab -r /etc/master.passwd crontab -l Anyone knows the third? Is it, like Cor said, with a tempfile?
Cor
Ivo PS: To fix these bugs (or at least, to disable them): You can disable the MAILTO bug by denying access (/var/spool/cron/{allow,deny} I think). To disable the bug in crontab (-r), you will probably have to remove the setuid bit. As far as I know, upgrading to the latest version (3.*) should also be safe (though I never checked this version for bugs) -- ------------------------------------------------------------------------ Name: Ivo van der Wijk | It won't give up it wants me dead Internet: irvdwijk () cs vu nl | this goddamn noise inside my head IRC: VladDrac | |\|||/| URL: http://www.hut.nl/users/ivo ------------------------------------------------------------------------
Current thread:
- vixiecron. Cor Bosman (Aug 05)
- Re: vixiecron. irvdwijk () cs vu nl (Aug 05)
- COAST FTP archive on-line Gene Spafford (Aug 05)
- Security course annoucement George Boyce (Aug 05)