Bugtraq mailing list archives
Re: vixie cron possible local root compromise
From: Kris Kennaway <kris () OBSECURITY ORG>
Date: Mon, 12 Feb 2001 19:42:57 -0800
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
the login name is stored in a 20 byte buffer using the strcpy() function (which does no bounds checking). 'useradd' (the utility used to add users to the system) however allows usernames of over 20 characters (32 at most on my distribution). Therefore, running crontab as a user whose login name exceeds 20 characters crashes it.
I don't see any real-world scenarios where this would be exploitable - usernames must be set by the administrator. Even in the case of e.g. a hostile NIS server, the NIS server can probably just add an account with uid 0 and log in to the client with root privileges. Kris
Attachment:
_bin
Description:
Current thread:
- Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Valentin Nechayev (Feb 12)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- (CORRECTION) Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 14)
- Re: vixie cron possible local root compromise Valdis Kletnieks (Feb 14)
- Re: vixie cron possible local root compromise Juergen P. Meier (Feb 15)
- Re: vixie cron possible local root compromise Nelson Brito (Feb 15)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- Re: vixie cron possible local root compromise Alan DeKok (Feb 13)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Robert Bihlmeyer (Feb 15)
- Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)