*BSD News Article 25111


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!network.ucsd.edu!ogicse!uwm.edu!cs.utexas.edu!not-for-mail
From: Gorgonio@fee.unicamp.br
Newsgroups: comp.os.386bsd.bugs
Subject: [NetBSD V0.9] Crontab Security Problem
Message-ID: <9312171222.AA01518@fee.unicamp.br>
Date: 17 Dec 93 00:18:31 GMT
Article-I.D.: fee.9312171222.AA01518
Sender: daemon@cs.utexas.edu
Organization: UTexas Mail-to-News Gateway
Lines: 46
NNTP-Posting-Host: cs.utexas.edu

[...]
From: dreid@mailer.fsu.edu (Debi Reid)
Date: 11 Dec 93 20:17:50 GMT
Organization: Florida State University ACNS
NNTP-Posting-Host: mailer.fsu.edu
Lines: 24


	There is a rather large hole in crontab I figured I would make 
	all aware of. The fix is simple, so it is not any big deal....

	crontab happens to be SUID with root level priv's,  so a person, 
	if they want your /etc/shadow can simply do a .....

	crontab -r /etc/shadow 
	crontab -l 

	crontab will grab a copy of the /etc/shadow, and place it as a job
	for the user to run in the /usr/spool/cron/crontabs. The -l will
	then display the jobs, thus resulting in giving up the password.

	I read about this on a "underground echo", and this person mentioned
	that this worked on Linux boxes.. <Echo was henced named CCi
	Cyber Crime International, I believe.... Anyrate>..  I run a 
	Linux box that several people have access to, and though you might
	wish to know about this.. the fix is simple, dont let users 
	run crontab.... Thats the way I solved it.. Anyrate, any questions
	please mail me...

	Also, I am not intrested in the moral rights and wrongs of this
	post, so if you do not like it, dont read it...


----- End Included Message -----
 
It's also a NetBSD V0.9 hole!

					Gorgonio

================================================================================
Gorgonio B. Ara'ujo                     |SIFEE - FEE - UNICAMP
Support Engineer                        |13.081.970 - Campinas/SP - Brazil
                                        |phone: +55 192 397421
                                        |fax: +55 192 391395
                                        |Internet: Gorgonio@fee.unicamp.br
================================================================================