Probably a lot of freebsd servers affected Security bug allows to edit other users crontab root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp root# echo @daily doit baby > /tmp/test root# crontab -u www.promspecbud.com.other /tmp/test root# crontab -u www.promspecbud.com -l =====output ====@daily doit baby ================ root#echo @daily doit baby one more time>> /tmp/test root#sudo -u www.promspecbud.com.other crontab /tmp/test root#sudo -u www.promspecbud.com crontab -l =====output ====@daily doit baby @daily doit baby one more time ================ root# uname -a FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 02:10:02 UTC 2016 root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 best regards, Andrii Kuzik
> root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmpI'm really sleepy so this might be wrong or outdated, but aren't/weren't FreeBSD usernames limited to 16 characters? Seems to me this probably relates to both the users being evaluated to the username "www.promspecbud." or whatever. -- James "fwaggle" Fraser
So your doing it as root. Root can do that. As it has access to everything. On Sep 1, 2016 8:15 AM, "Andrii Kuzik" <akuzik at gmail.com> wrote:> Probably a lot of freebsd servers affected > > Security bug allows to edit other users crontab > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp > root# echo @daily doit baby > /tmp/test > root# crontab -u www.promspecbud.com.other /tmp/test > root# crontab -u www.promspecbud.com -l > > =====output ====> @daily doit baby > ================> > root#echo @daily doit baby one more time>> /tmp/test > root#sudo -u www.promspecbud.com.other crontab /tmp/test > root#sudo -u www.promspecbud.com crontab -l > =====output ====> @daily doit baby > @daily doit baby one more time > ================> > root# uname -a > FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 > 02:10:02 UTC 2016 > root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > best regards, Andrii Kuzik > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >
Hi, On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote:> Probably a lot of freebsd servers affected > > Security bug allows to edit other users crontab > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d > /tmp > root# echo @daily doit baby > /tmp/test > root# crontab -u www.promspecbud.com.other /tmp/test > root# crontab -u www.promspecbud.com -l > > =====output ====> @daily doit baby > ================> > root#echo @daily doit baby one more time>> /tmp/test > root#sudo -u www.promspecbud.com.other crontab /tmp/test > root#sudo -u www.promspecbud.com crontab -l > =====output ====> @daily doit baby > @daily doit baby one more time > ================>to be more specific, the bug is crontab truncates usernames to 19 characters as defined in cron.h: #define MAX_UNAME 20 /* max length of username, should be overkill */ # pw useradd users12345names67890 # crontab -u users12345names67890 -l crontab: no crontab for users12345names6789 ^-- cut off