[mtoseland () cableinet co uk: cron 3.0.pl1-63 doesn't close filehandles, compromises /var/run/crond.reboot from any user]

[Matthew Toseland <mtoseland () CABLEINET CO UK>]

This appears to be debian-specific. How to exploit, other than DoS attacks/quota
bypass? What does /var/run/crond.reboot do? BTW, is fixed now and appears to be
debian-specific. Ben Greenbaum said post to vuln-dev.
> --- Begin Message ---
>
>
> From: Matthew Toseland <mtoseland () cableinet co uk>
>
> Date: Sun, 25 Feb 2001 01:49:39 +0000
>
> Hi. I have discovered a problem with the cron 3.0pl1-63 in woody.
> It does not close /var/run/crond.reboot when it forks and setuids. So any user
> who has a crontab can write to /var/run/crond.reboot, which is created with
> permissions 0000 and user/group root/root. This may or may not be exploitable
> for elevated privelidge, but at the very least could be a quota violation or
> similar, leading to local DoS of the /var filesystem, hence disabling logging,
> mail, restarting of system daemons... on most systems. Note that this only
> works if there is a /var/run/crond.reboot.
> Sample code:
>
> #include <stdio.h>
> #include <unistd.h>
>
> void main()
> {
>    char* p = "hahahahahahahahahahahahahahahahahahahaha\n";
>    int x = strlen(p);
>    write(6,p,x-1);
>    close(6);
> }
> Compile and insert into your crontab. DoS variant is obvious. Is this a known
> problem? Is it fixed now? (my debian stopped updating because of local problems
> for a while). When will it be fixed? I will post to bugtraq in a week or so -
> this is your chance to fix it quickly before it becomes general knowledge - if
> it hasn't already become general knowledge amoung blackhats.
>
>
> --- End Message ---