Bugtraq: Re: vixie cron possible local root compromise

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: vixie cron possible local root compromise

From: Wolfgang Wieser <wwieser () GMX DE>
Date: Wed, 14 Feb 2001 20:19:28 +0100

Note that the proposed patch...

<       strcpy(User, pw->pw_name);
---

      strncpy(User, pw->pw_name, MAX_UNAME - 1);


does not completely patch the hole. Okay, shellcode
will get cut off, but strncpy() does not '\0'-terninate the
strings but I saw that the rest of the code (notably the
next line strcpy(RealUser, User); ) assumes a
standard '\0'-terninated string.
So, the patch would be

<       strcpy(User, pw->pw_name);
---

      strncpy(User, pw->pw_name, MAX_UNAME - 1);
      User[MAX_UNAME-1]='\0';


wwieser

By Date By Thread

Current thread:

Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Kris Kennaway (Feb 13)
- Re: vixie cron possible local root compromise Andrew Brown (Feb 13)
  - Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)
- Re: vixie cron possible local root compromise Mark van Reijn (Feb 12)
- Re: vixie cron possible local root compromise Wolfgang Wieser (Feb 15)
- Re: vixie cron possible local root compromise Settle, Sean (Feb 15)