From owner-freebsd-security Fri Apr 14 01:53:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id BAA11337 for security-outgoing; Fri, 14 Apr 1995 01:53:04 -0700 Received: from mpp.com (dialup-3-199.gw.umn.edu [134.84.101.199]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id BAA11331 for ; Fri, 14 Apr 1995 01:52:55 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id DAA00743; Fri, 14 Apr 1995 03:52:09 -0500 From: Mike Pritchard Message-Id: <199504140852.DAA00743@mpp.com> Subject: Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c bitstring.3 bitstring.h To: ache@freefall.cdrom.com (Andrey A. Chernov) Date: Fri, 14 Apr 1995 03:52:08 -0500 (CDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199504132058.NAA27172@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 13, 95 01:58:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1494 Sender: security-owner@FreeBSD.org Precedence: bulk > ache 95/04/13 13:58:15 > > Modified: usr.sbin/cron/cron Makefile do_command.c > Removed: usr.sbin/cron/cron bitstring.3 bitstring.h > Log: > Really fix MAILTO hole by parsing spaces. > Remove local bitstring copy So far I haven't been able to get root with this fix in, but there are still MAILTO related problems. If I feed cron a MAILTO variable that contains more than 100 arguments, it will core dump due to going past the end of an array. Someone might be able to expliot that somehow. For example: MAILTO=a a a a a a a a ...and so on...arg101 arg102 arg103 I can also overrun the "mailcmd" buffer that the sendmail command + arguments is sprintfed into by having a 1000 character MAILTO variable. Both of these are good examples of why suid root programs that work with user supplied arguments should only accept arguments that conform to a strictly defined format. Cron_popen() needs to be fixed to check that it isn't going past the end of the argument array to fix the above problem and do_command() should call snprintf() instead of sprintf() to prevent overruns of the mailcmd buffer. There may be other ways to make cron blow up with a strange MAILTO variable, but these are the first two I found without much work. Again, changing cron to require that MAILTO only contain a valid local user name avoids both of these problems. -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn"