Vulnerability in Vixie Cron Title: Vulnerability in Vixie Cron Date Issued: December 16, 1996 Last Modified: December 16, 1996 Code: SNI-02 Source: Network Associates (was SNI) ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory December 16, 1996 Vulnerability in Vixie Cron During September, we became aware of a vulnerability in Vixie Cron 2.1 which allows attackers to obtain root access. It is recommended that security conscious administrators apply the attached patch. Technical Details ~~~~~~~~~~~~~~~~~ One of the many features of Vixie Cron 2.1 is that it allows users to set environment variables in their crontab. In parsing these environment variables, in the form: VARIABLE=VALUE it uses the function sscanf on a 1000 byte buffer. Unfortunately, Vixie Cron 2.1 does no length checking of the variable name, and attempts to stuff it into a 100 byte buffer. Thus, by creating a crontab file which contains a variable with a name longer than 100 characters, it is possible to overflow the buffer, and obtain root access. Impact ~~~~~~ Users with a valid account, and permission to run cron jobs (via cron.allow and cron.deny) can obtain root access. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ All systems incorporating Vixie Cron 2.1 without modifications, including, but not limited to: Redhat Linux BSD/OS 2.x OpenBSD 1.x NetBSD 1.2 FreeBSD 2.1.5 Any system where the default cron was replaced with Vixie Cron Fix Information ~~~~~~~~~~~~~~~ Increase the length of the buffer used by crontab to store the environment variable name to 1000 bytes. Since the buffer that sscanf is reading can no longer than 1000 bytes, an increase in buffer length is sufficient to fix the bug. Apply the following patch to env.c, recompile cron and crontab, then kill and restart cron. *** env.old Mon Dec 16 20:09:49 1996 --- env.c Mon Dec 16 20:11:26 1996 *************** *** 95,101 **** char *strcpy(), *sprintf(); long filepos; int fileline; ! char name[MAX_TEMPSTR], val[MAX_ENVSTR]; int fields, strdtb(); void skip_comments(); --- 95,101 ---- char *strcpy(), *sprintf(); long filepos; int fileline; ! char name[MAX_ENVSTR], val[MAX_ENVSTR]; int fields, strdtb(); void skip_comments(); Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories"