###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory December 16, 1996 Vulnerability in Vixie Cron During September, we became aware of a vulnerability in Vixie Cron 2.1 which allows attackers to obtain root access. It is recommended that security conscious administrators apply the attached patch. Technical Details ~~~~~~~~~~~~~~~~~ One of the many features of Vixie Cron 2.1 is that it allows users to set environment variables in their crontab. In parsing these environment variables, in the form: VARIABLE=VALUE it uses the function sscanf on a 1000 byte buffer. Unfortunately, Vixie Cron 2.1 does no length checking of the variable name, and attempts to stuff it into a 100 byte buffer. Thus, by creating a crontab file which contains a variable with a name longer than 100 characters, it is possible to overflow the buffer, and obtain root access. Impact ~~~~~~ Users with a valid account, and permission to run cron jobs (via cron.allow and cron.deny) can obtain root access. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ All systems incorporating Vixie Cron 2.1 without modifications, including, but not limited to: Redhat Linux BSD/OS 2.x OpenBSD 1.x NetBSD 1.2 FreeBSD 2.1.5 Any system where the default cron was replaced with Vixie Cron Fix Information ~~~~~~~~~~~~~~~ Increase the length of the buffer used by crontab to store the environment variable name to 1000 bytes. Since the buffer that sscanf is reading can no longer than 1000 bytes, an increase in buffer length is sufficient to fix the bug. Apply the following patch to env.c, recompile cron and crontab, then kill and restart cron. *** env.old Mon Dec 16 20:09:49 1996 --- env.c Mon Dec 16 20:11:26 1996 *************** *** 95,101 **** char *strcpy(), *sprintf(); long filepos; int fileline; ! char name[MAX_TEMPSTR], val[MAX_ENVSTR]; int fields, strdtb(); void skip_comments(); --- 95,101 ---- char *strcpy(), *sprintf(); long filepos; int fileline; ! char name[MAX_ENVSTR], val[MAX_ENVSTR]; int fields, strdtb(); void skip_comments(); Copyright ~~~~~~~~~ The contents of this advisory are Copyright (c) 1996 Secure Networks Inc, and may be freely reproduced provided that no fee is charged for reproduction and proper credit is given.