Dillon crontab 2.2 overflow

Summary

Description:	standard overflow
Author:	"KSR[T]" <ksrt@DEC.NET>
Compromise:	root (local)
Vulnerable Systems:	Slackware Linux 3.4, other systems that runn dillon crontab / crond ( dcron 2.2 )
Date:	9 December 1997

Details


Date: Tue, 9 Dec 1997 03:15:45 -0800
From: "KSR[T]" <ksrt@DEC.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: KSR[T] #005: Dillon crontab / crond

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

                                                          KSR[T] Advisory #005
                                                          Date:   Dec  6, 1997
                                                          ID #:   lin-dcrn-005

Operating System(s): Slackware 3.4

Affected Program:    dillon crontab / crond ( dcron 2.2 )

Problem Description: The crond that comes with Slackware 3.4 contains
                     a locally exploitable buffer overflow.  When crond
                     attempts to run a particular cronjob, it will take
                     the user specified command line and copy it into
                     an automatic variable via vsprintf().  ( This is
                     done when the function RunJob() calls fdprintf(),
                     in job.c and subs.c respectively. )

                     A quick glance shows another potential overflow
                     in subs.c, involving the logging functions.  This
                     is also fixed in the patch below.

Compromise:          Users with an account on the machine can gain
                     root access.

Patch/Fix:           We would like to thank Erik Schorr for prividing
                     us with this patch:

-- cut here --

Slackware 3.4 crond fix

/usr/sbin/crond is installed with the bin.tgz package in Slackware 3.4.  A
patched version of this package is available from the Slackware FTP site:

ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz

The source and patch can also be found on the FTP site:

ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz

MD5 sums for the source, patch, and binary package follow:

a76744f19a9361cb5b5d93dcc2bf503f  bin.tgz
9eb478dba39eb8a708dbd6764d6c6ad9  dcron22.tar.gz
c248f7871cf6ba84267cbd90c9c3f084  dcron22.diff.gz

-- cut here --

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: