Bugtraq mailing list archives
Re: vixie cron possible local root compromise
From: Alfred Perlstein <bright () WINTELCOM NET>
Date: Tue, 13 Feb 2001 15:00:23 -0800
* Andrew Brown <atatat () ATATDOT NET> [010213 14:38] wrote:
When crontab has determined the name of the user calling crontab (using getpwuid()), the login name is stored in a 20 byte buffer using the strcpy() function (which does no bounds checking). 'useradd' (the utility used to add users to the system) however allows usernames of over 20 characters (32 at most on my distribution).i can see how this is an "issue", but don't you already have to be root to get a user name longer than 20 characters? or are you just assuming that some admins out there will fail to balk at such a strange request?
I vaguely remeber some packages that allow non-root users to add other non-root users, if the wrapper script/program isn't careful about limiting the username someone trusted to do account additions may gain root if this is exploitable. -- -Alfred Perlstein - [bright () wintelcom net|alfred () freebsd org] "I have the heart of a child; I keep it in a jar on my desk."
Current thread:
- Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- (CORRECTION) Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 14)
- Re: vixie cron possible local root compromise Valdis Kletnieks (Feb 14)
- Re: vixie cron possible local root compromise Juergen P. Meier (Feb 15)
- Re: vixie cron possible local root compromise Nelson Brito (Feb 15)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- Re: vixie cron possible local root compromise Alan DeKok (Feb 13)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Robert Bihlmeyer (Feb 15)
- Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)