1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-96:20 Security Advisory
FreeBSD, Inc.
Topic: unauthorized access via buffer overruns
cron, crontab, ppp
Category: core
Module: cron, crontab, ppp
Announced: 1996-12-16
Affects: 1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1
Corrected: 2.2-current as of various dates (see below)
2.1-stable as of various dates (see below)
FreeBSD only: yes
Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:20/
=============================================================================
I. Background
Buffer overrun (aka stack overflow) exploits in system
supplied and locally installed utilities are commonly
used by individuals wishing to obtain unauthorized access to
computer systems. The FreeBSD team has been reviewing and
fixing the source code pool to eliminate potential exploits
based on this technique. We've found several such exploits
(and more have been reported by other sources) and strongly
suggest that all operators of FreeBSD machines upgrade to
the latest version of FreeBSD (2.1.6.1 at the time of this
advisory) if there is a possibility for untrustworthy users
to have standard user level access to the system.
Most of these problems were fixed with the release of
FreeBSD 2.1.6.1, however the following were not:
In August of 1996, exploits were discovered in the
cron and crontab utilities in FreeBSD. These were fixed
in the -current source code pool in August of 1996, but
due to a clerical error, were not repaired in the older
-stable source code pool used to generate the FreeBSD
2.1.X distributions until 16-Dec-1996.
Recently, yet another buffer overrun was discovered
in the cron and crontab utilities in FreeBSD. The problem
was corrected on 16-Dec-1996 in both -current and -stable.
Also recently, a similar overrun has been discovered in the
ppp utility. This was fixed in both -current and
-stable source code pools on 16-Dec-1996.
II. Problem Description
The programs in question store user-supplied information
in internal buffers. There is no range checking on length
of the data copied into these buffers. A malicious user
may be able to overflow these buffers through the use of
command line options or via enviornment variables and
insert and execute their own code fragment which could
be used to obtain unauthorized access to the system
III. Impact
The programs in question may be subverted to allow an
unprivileged user to gain root access to the system.
These vulnerability can only be exploited by individuals
with access to the local system.
IV. Workaround
Setuid programs invoked by the user may have their setuid
permissions removed, or their protection attributes modified
so unprivileged users may not operate them at all.
This may reduce or eliminate some functionality provided by
these programs to normal users.
To remove setuid privileges:
crontab: # chmod ug-s /usr/bin/crontab
ppp: # chmod ug-s /usr/bin/ppp
The cron program is started by the system on every boot.
This auto-start may be temporarily disabled, and the running
cron program stopped. However, cron is a valuable system
utility, so we suggest this as a temporary workaround only.
To stop cron from executing on system boot, edit the /etc/rc
file and change the line:
echo -n ' cron'; cron
so it reads:
# echo -n ' cron'; cron.
To turn off a running cron, use the ps program to determine
the PID of the currently running cron (use "ps") and type:
# kill <pid of running cron>
V. Solution
The following patches fixes the vulnerabilities. It should
apply cleanly to all FreeBSD 2.1.x systems. It has not been
tested with FreeBSD 1.x.
After applying these patches, recompile and re-install the
affected utilities.
*** usr.sbin/cron/cron/database.c 1994/08/27 13:43:03 1.1.1.1
--- usr.sbin/cron/cron/database.c 1996/09/10 03:38:20 1.3
***************
*** 112,119 ****
if (dp->d_name[0] == '.')
continue;
! (void) strcpy(fname, dp->d_name);
! sprintf(tabname, CRON_TAB(fname));
process_crontab(fname, fname, tabname,
&statbuf, &new_db, old_db);
--- 112,119 ----
if (dp->d_name[0] == '.')
continue;
! (void)snprintf(fname, sizeof fname, "%s", dp->d_name);
! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname));
process_crontab(fname, fname, tabname,
&statbuf, &new_db, old_db);
*** usr.sbin/cron/crontab/crontab.c 1996/04/09 21:23:11 1.3.4.1
--- usr.sbin/cron/crontab/crontab.c 1996/08/05 00:50:02 1.6
***************
*** 167,173 ****
ProgramName, optarg);
exit(ERROR_EXIT);
}
! (void) strcpy(User, optarg);
break;
case 'l':
if (Option != opt_unknown)
--- 165,171 ----
ProgramName, optarg);
exit(ERROR_EXIT);
}
! (void) snprintf(User, sizeof(user), "%s", optarg);
break;
case 'l':
if (Option != opt_unknown)
***************
*** 198,204 ****
} else {
if (argv[optind] != NULL) {
Option = opt_replace;
! (void) strcpy (Filename, argv[optind]);
} else {
usage("file name must be specified for replace");
}
--- 196,203 ----
} else {
if (argv[optind] != NULL) {
Option = opt_replace;
! (void) snprintf(Filename, sizeof(Filename), "%s",
! argv[optind]);
} else {
usage("file name must be specified for replace");
}
***************
*** 480,486 ****
ProgramName, Filename);
goto done;
default:
! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n");
goto fatal;
}
remove:
--- 479,486 ----
ProgramName, Filename);
goto done;
default:
! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n",
! ProgramName);
goto fatal;
}
remove:
--- usr.sbin/cron/lib/env.c 1994/08/27 13:43:02 1.1.1.1
+++ usr.sbin/cron/lib/env.c 1996/12/16 18:11:57
@@ -115,7 +115,7 @@
{
long filepos;
int fileline;
- char name[MAX_TEMPSTR], val[MAX_ENVSTR];
+ char name[MAX_ENVSTR], val[MAX_ENVSTR];
int fields;
filepos = ftell(f);
--- usr.sbin/ppp/chat.c 1996/06/10 09:41:45 1.4.4.2
+++ usr.sbin/ppp/chat.c 1996/12/15 20:40:26
@@ -315,7 +315,7 @@
}
cp--;
}
- sprintf(tmp, "%s %s", command, cp);
+ snprintf(tmp, sizeof tmp, "%s %s", command, cp);
(void) MakeArgs(tmp, &vector);
pipe(fids);
--- usr.sbin/ppp/systems.c 1995/05/30 03:50:58 1.5
+++ usr.sbin/ppp/systems.c 1996/12/15 20:40:26
@@ -75,12 +75,12 @@
cp = getenv("HOME");
if (cp) {
SetUserId();
- sprintf(line, "%s/.%s", cp, file);
+ snprintf(line, sizeof line, "%s/.%s", cp, file);
fp = fopen(line, "r");
}
if (fp == NULL) {
SetPppId();
- sprintf(line, "%s/%s",_PATH_PPP, file);
+ snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file);
fp = fopen(line, "r");
}
if (fp == NULL) {
@@ -115,12 +115,12 @@
cp = getenv("HOME");
if (cp) {
SetUserId();
- sprintf(line, "%s/.%s", cp, file);
+ snprintf(line, sizeof line, "%s/.%s", cp, file);
fp = fopen(line, "r");
}
if (fp == NULL) {
SetPppId(); /* fix from pdp@ark.jr3uom.iijnet.or.jp */
- sprintf(line, "%s/%s",_PATH_PPP, file);
+ snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file);
fp = fopen(line, "r");
}
if (fp == NULL) {
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: security-notifications@freebsd.org
Security public discussion: security@freebsd.org
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMrb4FlUuHi5z0oilAQGCjQP/TcKygSf3CLwfJcPSnsQnc0k5fkF3QZvk
Lp4K7FTua7M0AHHMn4gjpZEqB0+eqxMEGuZ+VXISSoESWyaOSz+hVLmLU2UZDLO0
WWZWw3MM3UeWAzLLXwRPTLN0tQlpQJyqPNH1okb4c/Lx9IugN1wcGfbiTnOF3NaC
d8lhtqcQoi4=
=zAKC
-----END PGP SIGNATURE-----
|
