Re: vixiecron.
irvdwijk@cs.vu.nl
Fri, 5 Aug 1994 16:17:18 +0200 (MET DST)
Cor wrote
>
>
> One of the bugs I found and reported to Vixie about a year ago regarding
> his vixiecron, was that you could do the following:
>
> MAILTO="whatever; /bin/cp /bin/sh /tmp; chmod 4777 /tmp/sh"
>
> He fixed this, and with it introduced a new bug we also reported.
> I can't really remember the details, but it had something to do with
> a temporary file he was using, that you could predict, and thus link
> to /etc/master.passwd or something.
>
I heard that there were three mayor security holes in previous versions of
VixieCron. Two of them I know, the one you cor described (with MAILTO)
and the one using the '-r' switch:
crontab -r /etc/master.passwd
crontab -l
Anyone knows the third? Is it, like Cor said, with a tempfile?
> Cor
Ivo
PS: To fix these bugs (or at least, to disable them):
You can disable the MAILTO bug by denying access
(/var/spool/cron/{allow,deny} I think).
To disable the bug in crontab (-r), you will probably have to
remove the setuid bit. As far as I know, upgrading to the latest
version (3.*) should also be safe (though I never checked this version
for bugs)
--
------------------------------------------------------------------------
Name: Ivo van der Wijk | It won't give up it wants me dead
Internet: irvdwijk@cs.vu.nl | this goddamn noise inside my head
IRC: VladDrac | |\|||/|
URL: http://www.hut.nl/users/ivo
------------------------------------------------------------------------