|
Bugtraq
mailing list archives
Re: vixie cron possible local root compromise
From: Alfred Perlstein <bright () WINTELCOM NET>
Date: Tue, 13 Feb 2001 15:00:23 -0800
* Andrew Brown <atatat () ATATDOT NET> [010213 14:38] wrote:
When crontab has determined the name of the user calling crontab (using
getpwuid()),
the login name is stored in a 20 byte buffer using the strcpy() function
(which does no bounds checking). 'useradd' (the utility used to add users
to the system)
however allows usernames of over 20 characters (32 at most on my distribution).
i can see how this is an "issue", but don't you already have to be
root to get a user name longer than 20 characters? or are you just
assuming that some admins out there will fail to balk at such a
strange request?
I vaguely remeber some packages that allow non-root users to add
other non-root users, if the wrapper script/program isn't careful
about limiting the username someone trusted to do account additions
may gain root if this is exploitable.
--
-Alfred Perlstein - [bright () wintelcom net|alfred () freebsd org]
"I have the heart of a child; I keep it in a jar on my desk."
 By Date 
By Thread
Current thread:
- Re: vixie cron possible local root compromise, (continued)
Re: vixie cron possible local root compromise Kris Kennaway (Feb 13)
Re: vixie cron possible local root compromise Andrew Brown (Feb 13)
- Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)
Re: vixie cron possible local root compromise Mark van Reijn (Feb 12)
Re: vixie cron possible local root compromise Wolfgang Wieser (Feb 15)
Re: vixie cron possible local root compromise Settle, Sean (Feb 15)
| 
Intro
