From owner-freebsd-bugs  Sun Jan  2 12:27:14 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from muschel.global-phun.net (muschel.Global-Phun.net [212.6.148.36])
	by hub.freebsd.org (Postfix) with ESMTP id 4581514D0B
	for <freebsd-bugs@freebsd.org>; Sun,  2 Jan 2000 12:27:10 -0800 (PST)
	(envelope-from op@pahl.net)
Received: from localhost (op@localhost [127.0.0.1])
	by muschel.global-phun.net (8.8.8/8.8.8) with ESMTP id VAA12796;
	Sun, 2 Jan 2000 21:21:51 +0100
Date: Sun, 2 Jan 2000 21:21:51 +0100 (MET)
From: Ole Pahl <op@pahl.net>
X-Sender: op@muschel.global-phun.net
To: bugtraq@securityfocus.com, submission@rootshell.com,
	cert@cert.org, cert@cert.dfn.de, freebsd-bugs@freebsd.org,
	info@suse.de, paul@vix.com, info@vix.com
Subject: Bug in recent versions of Vixie cron
Message-ID: <Pine.LNX.4.05.10001022010080.12566-100000@muschel.global-phun.net>
Organization: PAHL.NET Network Solutions
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

I've just discovered a bug in Vixie cron allowing local users with access
to their own crontabs to gain root access.

Sendmail is called as root, thus allowing users to specify the -C option
causing Sendmail to use a user-specified configuration file:

MAILTO='-C/home/someuser/sendmail.cf someuser'
* * * * * /bin/non-existent-binary-causing-error-message

By configuring Sendmail to use a pipe command executed with UID 0 for local
mail delivery, arbitrary commands can be executed as root.

This problem seems to be present in current versions of Vixie cron, e.g.
those used in operating systems like FreeBSD 3.4-RC as well as certain
Linux distributions such as SuSE Linux 6.2.

This message has been sent to Paul Vixie as well, so I guess a patch fixing
this issue will be available soon. Full exploits seem to be available, but
don't ask me to send you one. As this problem is not related to a buffer
overflow condition, having a non-executable stack won't help you.

Temporary solution: Disable crontab access for non-root users.

Regards,
  Ole Pahl

--
Ole Pahl     <op@pahl.net>      Hamburg  /  Germany       Fon: +49 40 7807 2601
PAHL.NET Network Solutions      Mail: info@pahl.net       Fax: +49 40 7807 2602



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message