Hi, Recently there have been advisories and patches for SuSE and RedHat (and probably a few others) regarding a vulnerability in Vixie Cron. The details say that there's insufficient checking of the return value of setuid, which can lead to priviledge escalation and lets users run cron jobs with root priviledges. As far as I know, FreBSD also uses Vixie Cron (at least the cron(8) manpage says so). However, I haven't seen any FreeBSD advisory regarding this, so I wonder if FreeBSD's cron isn't affected for some reason? Any information would be appreciated. Best regards Oliver PS: Here's the description of the RedHat advisory: http://rhn.redhat.com/errata/RHSA-2006-0539.html -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. (On the statement print "42 monkeys" + "1 snake":) By the way, both perl and Python get this wrong. Perl gives 43 and Python gives "42 monkeys1 snake", when the answer is clearly "41 monkeys and 1 fat snake". -- Jim Fulton
Oliver Fromme <olli@lurza.secnetix.de> writes:> Recently there have been advisories and patches for > SuSE and RedHat (and probably a few others) regarding > a vulnerability in Vixie Cron. The details say that > there's insufficient checking of the return value of > setuid, which can lead to priviledge escalation and > lets users run cron jobs with root priviledges. > > As far as I know, FreBSD also uses Vixie Cron (at least > the cron(8) manpage says so). However, I haven't seen > any FreeBSD advisory regarding this, so I wonder if > FreeBSD's cron isn't affected for some reason? > > Any information would be appreciated.It looks to me like this wasn't exploitable in a default configuration anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6. http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c
Hi, Oliver Fromme wrote:> Hi, > > (...) > > Any information would be appreciated. >This issue was already discussed few weeks ago on this list. http://lists.freebsd.org/pipermail/freebsd-hackers/2006-June/016729.html In default configuration, this issue is not exploitable because a call to setuid(2) could fail only for non-root user. Anyway setuid(2) return value must be always checked and I guess this issue was fixed in HEAD and probably in RELENG_6 ? Sincerely, Clem