>Number:         3293
>Category:       bin
>Synopsis:       Buffer overflow in crontab
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar  5 19:05:01 1997
>Last-Modified:
>Originator:     Rick Byers
>Organization:
	Internet Access Worldwide
>Release:        NetBSD Current Mar 2 1997
>Environment:
	
System: NetBSD rickb.iaw.on.ca 1.2C NetBSD 1.2C (RICKB) #0: Wed Mar 5 20:07:47 EST 1997 root@rickb.iaw.on.ca:/usr/src/sys/arch/i386/compile/RICKB i386


>Description:
	In load_env() in env.c, sscanf gets called on envstr, to fill name and val.
	A widely available hack exists to overflow the buffer pointed to by name
	which is only MAX_TEMPSTR (100) characters long.  This overflow condition
	is then used to execute a root shell.
>How-To-Repeat:
	
>Fix:
	The easiest fix is to declare name to be MAX_ENVSTR (1000) characters.
	The call function could be rewritten not to call sscanf, but for 900
	bytes, it's not worth it.  Jason Thorpe has allready cleaned up the 
    other overflow conditions.  Here is a tiny patch:

*** env.c.orig	Wed Mar  5 20:06:58 1997
--- env.c	Wed Mar  5 21:19:15 1997
***************
*** 115,121 ****
  {
  	long	filepos;
  	int	fileline;
! 	char	name[MAX_TEMPSTR], val[MAX_ENVSTR];
  	int	fields;
  
  	filepos = ftell(f);
--- 115,121 ----
  {
  	long	filepos;
  	int	fileline;
! 	char	name[MAX_ENVSTR], val[MAX_ENVSTR];
  	int	fields;
  
  	filepos = ftell(f);
>Audit-Trail:
>Unformatted: