Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
fcron 'fcronsighup' Bugs Let Local Users View and Delete Files
|
|
SecurityTracker Alert ID: 1012239
|
|
SecurityTracker URL: http://securitytracker.com/id?1012239
|
|
CVE Reference: CAN-2004-1030
, CAN-2004-1031
, CAN-2004-1032
, CAN-2004-1033
(Links to External Site)
|
Date: Nov 15 2004
|
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: iDEFENSE
|
Version(s): prior to 2.0.2
|
Description: iDEFENSE reported several vulnerabilities in fcron. A local user can view and delete arbitrary files on the target system. A local user can also supply an alternate configuration file.
It is reported that a local user can exploit the fcronsighup script to view arbitrary files with root privileges [CVE: CAN-2004-1030].
The local user can supply the file to be viewed as a parameter to fcronsighup, which will then attempt to parse the specified file
as a configuration file. Lines that cannot be parsed will be displayed in an error message. A demonstration exploit command is
provided:
fcronsighup /etc/shadow
It is also reported that a local user can direct the fcronsighup configuration file to a
/proc entry owned by the 'root' user to supply arbitrary configuration settings to fcronsighup [CVE: CAN-2004-1031].
It is also
reported that a local user can cause arbitrary files to be deleted [CVE CAN-2004-1032].
It is also reported that a local user
can view the contents of the 'fcron.allow' and 'fcron.deny' files due to a file descriptor leak [CVE: CAN-2004-1033].
Karol Wiesek
is credited with discovering these vulnerabilities.
The vendor was notified on October 21, 2004.
The original advisory is
available at:
http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities
|
Impact: A local user can view and delete arbitrary files on the target system.
A local user can supply an alternate configuration file.
|
Solution: The vendor has released a fixed version (2.0.2), available at:
http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz
ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz
A fixed development version (2.9.5.1) is also available at:
http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz
ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.
tar.gz
|
Vendor URL: fcron.free.fr/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: idlabs-advisories@idefense.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 15 Nov 2004 14:48:23 -0500
From: idlabs-advisories@idefense.com
Subject: iDEFENSE Security Advisory 11.15.04: Multiple Security
|
Multiple Security Vulnerabilities in Fcron
iDEFENSE Security Advisory 11.15.04
www.idefense.com/application/poi/display?id=157&type=vulnerabilities
November 15, 2004
I. BACKGROUND
Fcron is a periodical command scheduler which aims at replacing Vixie
Cron, and implements most of its functionalities. More information about
Fcron is available from http://fcron.free.fr/description.php.
II. DESCRIPTION
Multiple vulnerabilities have been found in Fcron.
**** ISSUE 1 - File contents disclosure ****
Local exploitation of a design error vulnerability in the fcronsighup=20
component of Fcron may allow users to view the contents of root owned=20
files.
The vulnerability specifically exists within the set user id (setuid)=20
root program fcronsighup. When the filename of a root owned file is=20
passed as an argument to this program, it attempts to parse the file as=20
a configuration file. Any lines in the file that are not parsable will=20
be output as error messages. The following example demonstrates how an=20
attacker can abuse this vulnerability to glean sensitive information=20
from the /etc/shadow password file:
bash$ fcronsighup /etc/shadow
14:33:09 Unknown var name at line
root:<password-hash>:12475:0:99999:7::: : line ignored
**** ISSUE 2 - Configuration Bypass Vulnerability ****
Local exploitation of a design error vulnerability in the fcronsighup=20
component of Fcron may allow users to bypass access restrictions.
The problem specifically exists in the checking performed by the
fcronsighup utility on the file passed as a configuration file. It
checks if the file is root owned, and not writable by any other users.
When a setuid process is run by an ordinary user the /proc filesystem
pseudofiles associated with it are owned by root and the contents of the
"cmdline" and "evironment" files are controllable by the user.
By pointing the fcronsighup configuration file to a /proc entry owned by
root, such as /proc/self/cmdline or /proc/self/environ, it is possible=20
for a user to supply their own configuration settings.
**** ISSUE 3 - File Removal and Empty File Creation Vulnerability****
Local exploitation of a design error vulnerability in the fcronsighup=20
component of Fcron may allow users to remove arbitrary files or create=20
arbitrary empty files.
The vulnerability specifically exists in the fcronsighup utility which=20
does signaling of the running fcron daemon. Fcronsighup creates a file=20
named in part from a value read from configuration file. This file is=20
created using open() with O_RDWR|O_CREAT and 0644 parameters while=20
running with full root privileges. After some time has passed the file=20
is removed. The filename string is generated by the following code:
snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs);
By padding the front of the filename with a large number of slash=20
symbols ("/") it is possible to create or remove a file in an arbitrary=20
location. For example: to create the file /tmp/owned, the configuration
option which sets the value for "fcrontabs" can be set to contain
(sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the
string "/tmp/owned". The code will attempt to append the string
"/fcrontab.sig" to this string, but the limitation imposed on it by the
call to snprintf() will cause it to fail. When the filename is resolved,
the extra "/"s in the filename are ignored, resulting in an absolute
reference to the file /tmp/owned.
**** ISSUE 4 - Information Disclosure Vulnerability ****
Local exploitation of a design error vulnerability in the fcrontab=20
component of Fcron may allow users to view the contents of fcron.allow=20
and fcron.deny.
The problem specifically exists because Fcron leaks the file descriptors
of the opened files /etc/fcron.allow and /etc/fcron.deny to the invoked=20
editor. The default permissions on these files do not allow them to be=20
read by unprivileged users:
-rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow
-rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny
An attacker can exploit this vulnerability by setting the EDITOR=20
environment variable to a program which outputs the contents of the open
file descriptor; descriptor 3 to view the contents of fcron.allow and=20
descriptor 4 to view the contents of fcron.deny.
III. ANALYSIS
Local users can bypass configuration settings, remove arbitrary files,=20
create files with root permissions, read the contents of root owned=20
files and send a SIGHUP to any process, potentially killing it. These=20
actions may allow them to perform a denial of service or potentially=20
elevate their privileges.
IV. DETECTION
iDEFENSE has confirmed that Fcron versions 2.0.1 and 2.9.4 are
vulnerable. It is suspected that earlier versions are also affected.
V. WORKAROUND
Consider changing the permissions on the fcronsighup binary to only=20
allow trusted users access. Make the binary only executable by users=20
in the 'trusted' group by performing the following commands as root:
# chown root:trusted /usr/bin/fcronsighup
# chmod 4110 /usr/bin/fcronsighup
Also consider performing the same operation on the fcrontab binary to
prevent exploitation of Issue 4.
VI. VENDOR RESPONSE
The following releases are available to address these vulnerabilities:
2.0.2 : stable branch
http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz (France)
or
ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz (USA)
2.9.5.1 : dev branch
http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz (France)
or
ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz (USA)
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:
ISSUE 1 - File contents disclosure
CAN-2004-1030
ISSUE 2 - Configuration Bypass Vulnerability
CAN-2004-1031
ISSUE 3 - File Removal and Empty File Creation Vulnerability
CAN-2004-1032
ISSUE 4 - Information Disclosure Vulnerability
CAN-2004-1033
These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
10/21/2004 Initial vendor notification
10/21/2004 Initial vendor response
11/15/2004 Coordinated public disclosure
IX. CREDIT
Karol Wiesek is credited with discovering these vulnerabilities.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
|
|
Go to the Top of This SecurityTracker Archive Page
|
