edit others user crontab, security bug
Edho Arief
me at myconan.net
Thu Sep 1 13:44:00 UTC 2016
Hi,
On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote:
> Probably a lot of freebsd servers affected
>
> Security bug allows to edit other users crontab
>
> root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp
> root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d
> /tmp
> root# echo @daily doit baby > /tmp/test
> root# crontab -u www.promspecbud.com.other /tmp/test
> root# crontab -u www.promspecbud.com -l
>
> =====output =====
> @daily doit baby
> =================
>
> root#echo @daily doit baby one more time>> /tmp/test
> root#sudo -u www.promspecbud.com.other crontab /tmp/test
> root#sudo -u www.promspecbud.com crontab -l
> =====output =====
> @daily doit baby
> @daily doit baby one more time
> =================
>
to be more specific, the bug is crontab truncates usernames to 19
characters as defined in cron.h:
#define MAX_UNAME 20 /* max length of username, should be
overkill */
# pw useradd users12345names67890
# crontab -u users12345names67890 -l
crontab: no crontab for users12345names6789
^-- cut off
More information about the freebsd-security
mailing list