KSR[T] #005: Dillon crontab / crond

KSR[T] (ksrt@DEC.NET)
Tue, 09 Dec 1997 03:15:45 -0800

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

KSR[T] Advisory #005
Date: Dec 6, 1997
ID #: lin-dcrn-005

Operating System(s): Slackware 3.4

Affected Program: dillon crontab / crond ( dcron 2.2 )

Problem Description: The crond that comes with Slackware 3.4 contains
a locally exploitable buffer overflow. When crond
attempts to run a particular cronjob, it will take
the user specified command line and copy it into
an automatic variable via vsprintf(). ( This is
done when the function RunJob() calls fdprintf(),
in job.c and subs.c respectively. )

A quick glance shows another potential overflow
in subs.c, involving the logging functions. This
is also fixed in the patch below.

Compromise: Users with an account on the machine can gain
root access.

Patch/Fix: We would like to thank Erik Schorr for prividing
us with this patch:

-- cut here --

Slackware 3.4 crond fix

/usr/sbin/crond is installed with the bin.tgz package in Slackware 3.4. A
patched version of this package is available from the Slackware FTP site:

ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz

The source and patch can also be found on the FTP site:

ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz

MD5 sums for the source, patch, and binary package follow:

a76744f19a9361cb5b5d93dcc2bf503f bin.tgz
9eb478dba39eb8a708dbd6764d6c6ad9 dcron22.tar.gz
c248f7871cf6ba84267cbd90c9c3f084 dcron22.diff.gz

-- cut here --