Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!network.ucsd.edu!ogicse!uwm.edu!cs.utexas.edu!not-for-mail
From: Gorgonio@fee.unicamp.br
Newsgroups: comp.os.386bsd.bugs
Subject: [NetBSD V0.9] Crontab Security Problem
Message-ID: <9312171222.AA01518@fee.unicamp.br>
Date: 17 Dec 93 00:18:31 GMT
Article-I.D.: fee.9312171222.AA01518
Sender: daemon@cs.utexas.edu
Organization: UTexas Mail-to-News Gateway
Lines: 46
NNTP-Posting-Host: cs.utexas.edu
[...]
From: dreid@mailer.fsu.edu (Debi Reid)
Date: 11 Dec 93 20:17:50 GMT
Organization: Florida State University ACNS
NNTP-Posting-Host: mailer.fsu.edu
Lines: 24
There is a rather large hole in crontab I figured I would make
all aware of. The fix is simple, so it is not any big deal....
crontab happens to be SUID with root level priv's, so a person,
if they want your /etc/shadow can simply do a .....
crontab -r /etc/shadow
crontab -l
crontab will grab a copy of the /etc/shadow, and place it as a job
for the user to run in the /usr/spool/cron/crontabs. The -l will
then display the jobs, thus resulting in giving up the password.
I read about this on a "underground echo", and this person mentioned
that this worked on Linux boxes.. <Echo was henced named CCi
Cyber Crime International, I believe.... Anyrate>.. I run a
Linux box that several people have access to, and though you might
wish to know about this.. the fix is simple, dont let users
run crontab.... Thats the way I solved it.. Anyrate, any questions
please mail me...
Also, I am not intrested in the moral rights and wrongs of this
post, so if you do not like it, dont read it...
----- End Included Message -----
It's also a NetBSD V0.9 hole!
Gorgonio
================================================================================
Gorgonio B. Ara'ujo |SIFEE - FEE - UNICAMP
Support Engineer |13.081.970 - Campinas/SP - Brazil
|phone: +55 192 397421
|fax: +55 192 391395
|Internet: Gorgonio@fee.unicamp.br
================================================================================