From owner-freebsd-security@freebsd.org Thu Sep 1 17:41:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00AAABC9221 for ; Thu, 1 Sep 2016 17:41:11 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from theia.rz.uni-saarland.de (theia.rz.uni-saarland.de [134.96.7.31]) by mx1.freebsd.org (Postfix) with ESMTP id 8BA071D8 for ; Thu, 1 Sep 2016 17:41:09 +0000 (UTC) (envelope-from dweber@htwsaar.de) Received: from itz-mail.htw-saarland.de (itz-mail.htw-saarland.de [134.96.210.141]) by theia.rz.uni-saarland.de (8.14.9/8.14.0) with ESMTP id u81Gu94k018931 for ; Thu, 1 Sep 2016 18:56:09 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.99.2 at HIZ-Mailrelay theia.rz.uni-saarland.de Received: from isl-dw.htw-saarland.de (isl-dw.htw-saarland.de [134.96.218.251]) by itz-mail.htw-saarland.de (8.14.5/8.14.5) with ESMTP id u81Gu9VP004010 for ; Thu, 1 Sep 2016 18:56:09 +0200 (CEST) Date: Thu, 1 Sep 2016 18:56:04 +0200 (CEST) From: Damian Weber To: freebsd-security@freebsd.org Subject: Re: edit others user crontab, security bug In-Reply-To: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> Message-ID: References: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: clamav-milter 0.97.3 at itz-mail X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (theia.rz.uni-saarland.de [134.96.7.31]); Thu, 01 Sep 2016 18:56:09 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 17:41:11 -0000 On Thu, 1 Sep 2016, Edho Arief wrote: > Date: Thu, 1 Sep 2016 15:43:58 > From: Edho Arief > To: freebsd-security@freebsd.org > Subject: Re: edit others user crontab, security bug > > Hi, > > On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote: > > Probably a lot of freebsd servers affected > > > > Security bug allows to edit other users crontab > > > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d > > /tmp > > root# echo @daily doit baby > /tmp/test > > root# crontab -u www.promspecbud.com.other /tmp/test > > root# crontab -u www.promspecbud.com -l > > > > =====output ===== > > @daily doit baby > > ================= > > > > root#echo @daily doit baby one more time>> /tmp/test > > root#sudo -u www.promspecbud.com.other crontab /tmp/test > > root#sudo -u www.promspecbud.com crontab -l > > =====output ===== > > @daily doit baby > > @daily doit baby one more time > > ================= > > > > > to be more specific, the bug is crontab truncates usernames to 19 > characters as defined in cron.h: > > #define MAX_UNAME 20 /* max length of username, should be > overkill */ > > > # pw useradd users12345names67890 > # crontab -u users12345names67890 -l > crontab: no crontab for users12345names6789 > ^-- cut off apart from the crontab user length there seem to be quite a lot of possible values to choose from (MAXLOGNAME being the FreeBSD standard, right?) $ cd /usr/include $ egrep "^#define.*(USER|LOG)" */*h *.h| grep MAX |grep NAME bsm/libbsm.h:#define AU_USER_NAME_MAX 50 netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128 sys/param.h:#define MAXLOGNAME 33 /* max login name length (incl. NUL) */ sys/sysctl.h:#define USER_TZNAME_MAX 20 /* int: POSIX2_TZNAME_MA X */ limits.h:#define _POSIX_LOGIN_NAME_MAX 9 stdio.h:#define L_cuserid 17 /* size for cuserid(3); MAXLOGNAME, lega cy */ unistd.h:#define _SC_LOGIN_NAME_MAX 73 -- Damian Weber