TITLE: Trustix Fcron "convert-fcrontab" Two Vulnerabilities SECUNIA ADVISORY ID: SA18719 VERIFY ADVISORY: http://secunia.com/advisories/18719/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: Trustix Secure Linux 2.2 http://secunia.com/product/4641/ DESCRIPTION: Two vulnerabilities have been reported in Fcron, which can be exploited by malicious, local users to gain escalated privileges. 1) A boundary error exists in convert-fcrontab when handling an overly long username supplied via the command line. This can be exploited to cause a heap-based buffer overflow and may allow arbitrary code execution. 2) Missing validation of the username supplied to convert-fcrontab can be exploited to cause the application to create temporary files insecurely outside of "/var/spool/fcron" via directory traversal attacks. This can be exploited via symlink attacks to create or overwrite arbitrary files with the privileges of the root user. Successful exploitation requires that convert-fcrontab is setuid root (reportedly default setting on Trustix 2.2). The vulnerability has been reported in Fcron version 2.9.5 included with Trustix 2.2. Other versions may also be affected. SOLUTION: Remove setuid bits from convert-fcrontab. PROVIDED AND/OR DISCOVERED BY: 1) Adam Zabrocki 2) Karol Wiesek ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041888.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041900.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------