ISS X-Force Database: vixie-crontab-bo(6098): Vixie crontab buffer overflow

Vixie crontab buffer overflow

vixie-crontab-bo (6098)

Medium Risk

Description:

Vixie crontab is vulnerable to a denial of service attack caused by a buffer overflow in the strcpy function. Due to insufficient bounds checking of the login name in the strcpy function, an attacker can run crontab with a username containing more than 20 characters to overflow the buffer and cause the program to crash.

Platforms Affected:

HP, HP-UX 10.01
HP, HP-UX 10.10
HP, HP-UX 10.20
HP, HP-UX 10.24
HP, HP-UX 11.00
HP, HP-UX 11.04
Immunix, Immunix OS 6.2
Immunix, Immunix OS 7.0-beta
MandrakeSoft, Mandrake Linux
Paul Vixie, Vixie Crontab 3.0.1-56
RedHat, Linux 5.2
RedHat, Linux 6.2
RedHat, Linux 7
RedHat, Linux 7.1
RedHat, Linux 7.2
RedHat, Linux 7.3

Remedy:

For Red Hat Linux 5.2:
Upgrade to the latest version of vixie cron (3.0.1-38.5.2 or later), as listed in RHSA-2001:014-03. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of vixie cron (3.0.1-40.1 or later), as listed in RHSA-2001:014-03. See References.

For Red Hat Linux 7.0:
Upgrade to the latest version of vixie cron (3.0.1-61 or later), as listed in RHSA-2001:014-03. See References.

For Immunix OS 6.2:
Upgrade to the latest version of vixie cron (3.0.1-40.1 or later), as listed in Immunix OS Security Advisory IMNX-2001-70-003-01. See References.

For Immunix OS 7.0-beta and 7.0:
Upgrade to the latest version of vixie cron (3.0.1-61 or later), as listed in Immunix OS Security Advisory IMNX-2001-70-003-01. See References.

For Linux-Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1:
Upgrade to the latest version of vixie cron (3.0.1-46 or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:022 : vixie-cron. See References.

For HP9000 Series 700/800 running HP-UX 11.00, 11.04, 10.20, 10.24, 10.10, and 10.01:
Apply appropriate patch for your system, as listed in Hewlett-Packard Security Bulletin #0146 (HPSBUX0103-146). See References.

For other distributions:
Contact your vendor for upgrade or patch information.

As a workaround, remove the setuid bit on /user/bin/crontab.

Consequences:

Denial of Service

References:

BugTraq Mailing List, Sat Feb 10 2001 - 17:38:02 CST, vixie cron possible local root compromise at http://archives.neohapsis.com/archives/bugtraq/2001-02/0197.html.
CIAC Information Bulletin L-048, Red Hat Linux "vixie-cron buffer overflow username crontab" at http://www.ciac.org/ciac/bulletins/l-048.shtml.
Hewlett-Packard Company Security Bulletin HPSBUX0103-146, Sec. Vulnerability in crontab(1) at http://us-support.external.hp.com.
Immunix OS Security Advisory IMNX-2001-70-003-01, vixie-cron at http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0066.html. (From Neohapsis archive)
MandrakeSoft Security Advisory MDKSA-2001:022, vixie-cron at http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2001:022.
CVE-2001-0560: Buffer overflow in Vixie cron 3.0.1-56 and earlier could allow a local attacker to gain additional privileges via a long username (> 20 characters).
OSVDB ID: 5583: Vixie Cron Long Username Overflow
RHSA-2001-014: New vixie-cron packages available

Reported:

Feb 10, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page