Details of the PCWeek Securelinux Crack

gleam writes "The guy who cracked the secure Linux box has posted how he did it. It's a rather interesting read, and it does use a crontab exploit that is present in all versions of RH. " Much more detail then the original story had.

RedHat is NOT Linux!

[law]

I posted this originaly on their forum but it should work here too.

Look I am rather upset with this continued premise that "Redhat is Linux". It is not.
I use Debian, it works well and is generally more secure then RedHat.

On http://www.hackpcweek.com/learned.html
You state

"During these tests many people have criticized us for not applying the twenty-one security patches that currently exist for Red Hat 6.0. However, their omission serves to illustrate our
point. We only installed shipping software available from the vendors for this test (other than the applications of course). No hot fixes were applied to the NT server. We did however install
service pack five. This was much easier because it was a single file."

Using Debian and deselect (deselect is the standard package manipulation tool) getting security updates is EASIER than getting and installing a Service Pack, Hell you dont even have to reboot.
This still would of not of fixed the CGI exploit, it just would of made it that much harder to be rooted.
Remember Red Hat is NOT Linux.

crontab

[Signal+11]

That was posted to bugtraq almost a month ago - complete with fix. Now... who's at fault - Redhat, or the people who put this contest on with a box stock system with known vulnerabilies? Check it out:

------------------------------------------------ ---------------------
Red Hat, Inc. Security Advisory

Synopsis: Buffer overflow in cron daemon
Advisory ID: RHSA-1999:030-01
Issue date: 1999-08-25
Updated on:
Keywords: vixie-cron crond MAILTO
Cross references:
------------------------------------------------ ---------------------

1. Topic:

A buffer overflow exists in crond, the cron daemon. This
could allow local users to gain privilege.

2. Bug IDs fixed (http://developer.redhat.com/bugzilla/):

4706

3. Relevant releases/architectures:

Red Hat Linux 4.2, 5.2, 6.0, all architectures

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:

Red Hat Linux 4.2:

Intel:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie -cron-3.0.1-36.4.2.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixi e-cron-3.0.1-36.4.2.alpha.rpm

Sparc:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixi e-cron-3.0.1-36.4.2.sparc.rpm

Source packages:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixi e-cron-3.0.1-36.4.2.src.rpm

Red Hat Linux 5.2:

Intel:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie -cron-3.0.1-36.5.2.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixi e-cron-3.0.1-36.5.2.alpha.rpm

Sparc:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixi e-cron-3.0.1-36.5.2.sparc.rpm

Source packages:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixi e-cron-3.0.1-36.5.2.src.rpm

Red Hat Linux 6.0:

Intel:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie -cron-3.0.1-37.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixi e-cron-3.0.1-37.alpha.rpm

Sparc:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixi e-cron-3.0.1-37.sparc.rpm

Source packages:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixi e-cron-3.0.1-37.src.rpm

7. Problem description:

By creating a crontab that runs with a specially formatted
'MAILTO' environment variable, it is possible for local users
to overflow a fixed-length buffer in the cron daemon's
cron_popen() function. Since the cron daemon runs as root,
it would be theoretcially possible for local users to use
this buffer overflow to gain root privilege.

To the best of our knowledge, no known exploits exist
at this time.

Also, it was possible to use specially formatted 'MAILTO'
environment variables to send commands to sendmail.

8. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh

where filename is the name of the RPM.

9. Verification:

MD5 sum Package Name
------------------------------------------------ --------------------------
a90bf7adbc719fdb5a8ed335fda32a3c i386/vixie-cron-3.0.1-36.4.2.i386.rpm
2b6b0b00cdeca0381ab2893ddf2f2bd1 alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm
02d183979b594a7e7a9c1bc8566b2f16 sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm
b8ac0c21e108ebd67925c224f7a0b82b SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm

7df6884f0709b078d19f390db2a7e304 i386/vixie-cron-3.0.1-36.5.2.i386.rpm
b51b4ea612c4f5a59c1bb4e76af95eeb alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm
5ceeb614442bd4d4ce8a9680664d77e4 sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm
9f411cb3c7c1c53423eebc9d5f64619a SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm

39bbedeade7dc6da6f0ab5acfb3af6da i386/vixie-cron-3.0.1-37.i386.rpm
addec82afbd131aef14fadf8cfb8ddcf alpha/vixie-cron-3.0.1-37.alpha.rpm
b56db77c411f72825efbffed43780213 sparc/vixie-cron-3.0.1-37.sparc.rpm
243d9099bdb94bd0d075de4da4dbba12 SRPMS/vixie-cron-3.0.1-37.src.rpm


These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:

http://www.redhat.com/corp/contact.html

You can verify each package with the following command:

rpm --checksig

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

rpm --checksig --nopgp

10. References:




--
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.

--
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request@redhat.com /dev/null

--