Vixie cron vulnerability

2001-05-10T00:00:00
ID SECURITYVULNS:DOC:1591
Type securityvulns
Reporter Securityvulns
Modified 2001-05-10T00:00:00

Description

Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com.


                          Security Alert

Subject: Vixie Cron crontab Privilege Lowering Failure Vulnerability BUGTRAQ ID: 2687 CVE ID: CVE-MAP-NOMATCH Published: May 07, 2001 Updated: May 07, 2001

Remote: No Local: Yes Availability: User Initiated Authentication: Not Required Credibility: Vendor Confirmed Ease: Exploit Available Class: Serialization Error

Impact: 10.00 Severity: 6.90 Urgency: 7.59

Last Change: Initial analysis.

Vulnerable Systems:

Paul Vixie Vixie Cron 3.0pl1 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2

Non-Vulnerable Systems:

Summary:

Local users can cause Vixie crontab to fail to drop privileges when editing files. Can lead to full system compromise.

Impact:

Local users can manipulate crontab's lowering of privileges, leading to full system compromise.

Technical Description:

Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.

A serialization error exists in some versions of the crontab file maintenance program. The vulnerability was introduced in versions which were patched for seperate vulnerability in fall of 2000 (see Bugtraq ID #1960).

When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. Because the program is installed setuid root, it may be possible for a local user to gain root privileges.

Attack Scenarios:

An attacker with local access must edit their crontab file and enter a line that causes the parser to fail.

The attacker must then enter 'yes' when prompted as to whether he or she wishes to attempt to fix the error in the file. This will cause the editor to be invoked again, but with full privileges.

The attacker could then execute arbitrary commands from the editor, or overwrite otherwise protected system files.

Exploits:

During SIA analysis of this vulnerability, Cade Cairns <cairnsc@securityfocus.com> wrote proof-of-concept exploit code.

http://www.securityfocus.com/data/vulnerabilities/exploits/cronboom.sh

Mitigating Strategies:

Restricting local access to the host may prevent unauthorized users from exploiting this vulnerability. Restrict access to the cron faciliy to trusted users via the /etc/cron.allow and /etc/cron.deny files (man crontab).

Solutions:

For Paul Vixie Vixie Cron 3.0pl1:

Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/cro
n_3.0pl1-57.3_alpha.deb

Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cron_
3.0pl1-57.3_arm.deb

Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cron
_3.0pl1-57.3_i386.deb

Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cron
_3.0pl1-57.3_m68k.deb

Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/c
ron_3.0pl1-57.3_powerpc.deb

Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cro
n_3.0pl1-57.3_sparc.deb

Credit:

Posted to Bugtraq in a Debian Security Advisory (DSA-054-1) on May 7, 2001.

References:

advisory: Debian DSA-054-1: cron http://www.securityfocus.com/advisories/3282

ChangeLog:

May 07, 2001: Initial analysis.


HOW TO INTERPRET THIS ALERT

        BUGTRAQ ID: This  is  a  unique  identifier  assigned  to   the
                    vulnerability by SecurityFocus.com.

            CVE ID: This  is  a  unique  identifier  assigned  to   the
                    vulnerability by the CVE.

         Published: The date the vulnerability was first made public.

           Updated: The date the information was last updated.

            Remote: Whether   this   is    a    remotely    exploitable
                    vulnerability.

             Local: Whether   this    is    a    locally    exploitable
                    vulnerability.

       Credibility: Describes how credible the  information  about  the
                    vulnerability is. Possible values are:

                    Conflicting Reports: The are  multiple  conflicting
                    about the existance of the vulnerability.

                    Single  Source:  There  is  a  single  non-reliable
                    source   reporting    the    existence    of    the
                    vulnerability.

                    Reliable Source: There is a single reliable  source
                    reporting the existence of the vulnerability.

                    Conflicting Details:  There  is  consensus  on  the
                    existence  of  the  vulnerability  but   not   it&#39;s
                    details.

                    Multiple  Sources:  There  is  consensus   on   the
                    existence and details of the vulnerability.

                    Vendor Confirmed:  The  vendor  has  confirmed  the
                    vulnerability.

             Class: The class of vulnerability.  Possible  values  are:
                    Boundary Condition Error, Access Validation  Error,
                    Origin Validation Error,  Input  Valiadtion  Error,
                    Failure  to  Handle  Exceptional  Conditions,  Race
                    Condition  Error,  Serialization  Error,  Atomicity
                    Error, Environment Error, and Configuration Error.

              Ease: Rates  how  easiliy  the   vulnerability   can   be
                    exploited.  Possible   values   are:   No   Exploit
                    Available,  Exploit  Available,  and   No   Exploit
                    Required.

            Impact: Rates the impact of the vulnerability.  It&#39;s  range
                    is 1 through 10.

          Severity: Rates the severity of the vulnerability. It&#39;s range
                    is 1 through 10.  It&#39;s  computed  from  the  impact
                    rating and remote flag. Remote vulnerabiliteis with
                    a  high  impact  rating  receive  a  high  severity
                    rating. Local vulnerabilities  with  a  low  impact
                    rating receive a low severity rating.

           Urgency: Rates how quickly you should take action to fix  or
                    mitigate the vulnerability. It&#39;s range is 1 through
                    10. It&#39;s computed from  the  severity  rating,  the
                    ease  rating,  and  the  credibility  rating.  High
                    severity vulnerabilities with a high  ease  rating,
                    and a high confidence rating have a higher  urgency
                    rating. Low severity  vulnerabilities  with  a  low
                    ease rating, and a low  confidence  rating  have  a
                    lower urgency rating.

       Last Change: The  last  change   made   to   the   vulnerability
                    information.

Vulnerable Systems: The list of vulnerable systems. A &#39;+&#39;  preceding  a
                    system  name  indicates  that  one  of  the  system
                    components is vulnerable vulnerable.  For  example,
                    Windows 98 ships with Internet Explorer.  So  if  a
                    vulnerability is found in IE you may see  something
                    like:

                    Microsoft Internet Explorer
                    + Microsoft Windows 98

Non-Vulnerable Systems: The list of non-vulnerable systems.

           Summary: A concise summary of the vulnerability.

            Impact: The impact of the vulnerability.

Technical Description: The in-depth description of the vulnerability.

  Attack Scenarios: Ways an attacker may make use of the vulnerability.

          Exploits: Exploit intructions or programs.

Mitigating Strategies: Ways to mitigate the vulnerability.

         Solutions: Solutions to the vulnerability.

            Credit: Information about who disclosed the vulnerability.

        References: Sources of information on the vulnerability.

 Related Resources: Resources that might be of additional value.

         ChangeLog: History of changes to the vulnerability record.

                 Copyright 2001 SecurityFocus.com

Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage your account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com.