From ksrt@DEC.NET Tue Dec 9 16:14:47 1997 From: "KSR[T]" To: BUGTRAQ@NETSPACE.ORG Date: Tue, 9 Dec 1997 03:15:45 -0800 Subject: KSR[T] #005: Dillon crontab / crond ----- KSR[T] Website : http://www.dec.net/ksrt E-mail: ksrt@dec.net ----- KSR[T] Advisory #005 Date: Dec 6, 1997 ID #: lin-dcrn-005 Operating System(s): Slackware 3.4 Affected Program: dillon crontab / crond ( dcron 2.2 ) Problem Description: The crond that comes with Slackware 3.4 contains a locally exploitable buffer overflow. When crond attempts to run a particular cronjob, it will take the user specified command line and copy it into an automatic variable via vsprintf(). ( This is done when the function RunJob() calls fdprintf(), in job.c and subs.c respectively. ) A quick glance shows another potential overflow in subs.c, involving the logging functions. This is also fixed in the patch below. Compromise: Users with an account on the machine can gain root access. Patch/Fix: We would like to thank Erik Schorr for prividing us with this patch: -- cut here -- Slackware 3.4 crond fix /usr/sbin/crond is installed with the bin.tgz package in Slackware 3.4. A patched version of this package is available from the Slackware FTP site: ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz The source and patch can also be found on the FTP site: ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz MD5 sums for the source, patch, and binary package follow: a76744f19a9361cb5b5d93dcc2bf503f bin.tgz 9eb478dba39eb8a708dbd6764d6c6ad9 dcron22.tar.gz c248f7871cf6ba84267cbd90c9c3f084 dcron22.diff.gz -- cut here --