Bugtraq: Re: vixie cron possible local root compromise

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: vixie cron possible local root compromise

From: Kris Kennaway <kris () OBSECURITY ORG>
Date: Mon, 12 Feb 2001 19:42:57 -0800

On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:

the login name is stored in a 20 byte buffer using the strcpy() function
(which does no bounds checking). 'useradd' (the utility used to add users
to the system)
however allows usernames of over 20 characters (32 at most on my distribution).

Therefore, running crontab as a user whose login name exceeds 20 characters
crashes it.


I don't see any real-world scenarios where this would be exploitable -
usernames must be set by the administrator.  Even in the case of
e.g. a hostile NIS server, the NIS server can probably just add an
account with uid 0 and log in to the client with root privileges.

Kris

Attachment: _bin
Description:

By Date By Thread

Current thread:

Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Kris Kennaway (Feb 13)
- Re: vixie cron possible local root compromise Andrew Brown (Feb 13)
  - Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)
- Re: vixie cron possible local root compromise Mark van Reijn (Feb 12)
- Re: vixie cron possible local root compromise Wolfgang Wieser (Feb 15)
- Re: vixie cron possible local root compromise Settle, Sean (Feb 15)