CVE-2004-1030
CVSS2.1
发布时间 :2005-03-01 00:00:00
修订时间 :2008-09-05 16:40:08
NMCOPS    

[原文]fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to gain sensitive information by calling fcronsighup with an arbitrary file, which reveals the contents of the file that can not be parsed in an error message.


[CNNVD]Fcron 文件内容泄露漏洞(CNNVD-200503-025)

        Fcron是一款命令执行调度程序,可代替Vixie Cron使用。
        Fcron包含的fcronsighup程序存在问题,本地攻击者可以利用这个漏洞查看ROOT属主的文件内容。
        fcronsighup是setuid root属性程序,当ROOT属主的文件名传递给程序时,会作为配置文件解析,任何一行不能解析的内容会作为错误信息输出,因此利用root属主文件作为参数,可泄露敏感信息。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:thibault_godouet:fcron:2.9.4
cpe:/a:thibault_godouet:fcron:2.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1030
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1030
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-025
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11684
(VENDOR_ADVISORY)  BID  11684
http://xforce.iss.net/xforce/xfdb/18075
(VENDOR_ADVISORY)  XF  fcron-fcronsighup-obtain-info(18075)
http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities&flashstatus=false
(UNKNOWN)  IDEFENSE  20041115 Multiple Security Vulnerabilities in Fcron
http://security.gentoo.org/glsa/glsa-200411-27.xml
(UNKNOWN)  GENTOO  GLSA-200411-27

- 漏洞信息

Fcron 文件内容泄露漏洞
低危 设计错误
2005-03-01 00:00:00 2006-09-05 00:00:00
本地  
        Fcron是一款命令执行调度程序,可代替Vixie Cron使用。
        Fcron包含的fcronsighup程序存在问题,本地攻击者可以利用这个漏洞查看ROOT属主的文件内容。
        fcronsighup是setuid root属性程序,当ROOT属主的文件名传递给程序时,会作为配置文件解析,任何一行不能解析的内容会作为错误信息输出,因此利用root属主文件作为参数,可泄露敏感信息。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz
        ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz
        http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz
        ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz

- 漏洞信息 (F35076)

iDEFENSE Security Advisory 2004-11-15.t (PacketStormID:F35076)
2004-11-20 00:00:00
Karol Wiesek,iDefense Labs  idefense.com
advisory,arbitrary,local,root,vulnerability
CVE-2004-1030,CVE-2004-1031,CVE-2004-1032,CVE-2004-1033
[点击下载]

iDEFENSE Security Advisory 11.15.04 - Multiple vulnerabilities have been found in Fcron 2.0.1 and 2.9.4. Local exploitation of vulnerabilities in the fcronsighup component of Fcron may allow users to view the contents of root owned files, bypass access restrictions, and remove arbitrary files or create arbitrary empty files.

Multiple Security Vulnerabilities in Fcron

iDEFENSE Security Advisory 11.15.04
www.idefense.com/application/poi/display?id=157&type=vulnerabilities
November 15, 2004

I. BACKGROUND

Fcron is a periodical command scheduler which aims at replacing Vixie
Cron, and implements most of its functionalities. More information about
Fcron is available from http://fcron.free.fr/description.php.

II. DESCRIPTION

Multiple vulnerabilities have been found in Fcron.

**** ISSUE 1 - File contents disclosure ****

Local exploitation of a design error vulnerability in the fcronsighup 
component of Fcron may allow users to view the contents of root owned 
files.

The vulnerability specifically exists within the set user id (setuid) 
root program fcronsighup. When the filename of a root owned file is 
passed as an argument to this program, it attempts to parse the file as 
a configuration file. Any lines in the file that are not parsable will 
be output as error messages. The following example demonstrates how an 
attacker can abuse this vulnerability to glean sensitive information 
from the /etc/shadow password file:

bash$ fcronsighup /etc/shadow
14:33:09 Unknown var name at line
root:<password-hash>:12475:0:99999:7::: : line ignored

**** ISSUE 2 - Configuration Bypass Vulnerability ****

Local exploitation of a design error vulnerability in the fcronsighup 
component of Fcron may allow users to bypass access restrictions.

The problem specifically exists in the checking performed by the
fcronsighup utility on the file passed as a configuration file. It
checks if the file is root owned, and not writable by any other users.

When a setuid process is run by an ordinary user the /proc filesystem
pseudofiles associated with it are owned by root and the contents of the

"cmdline" and "evironment" files are controllable by the user.

By pointing the fcronsighup configuration file to a /proc entry owned by

root, such as /proc/self/cmdline or /proc/self/environ, it is possible 
for a user to supply their own configuration settings.

**** ISSUE 3 - File Removal and Empty File Creation Vulnerability****

Local exploitation of a design error vulnerability in the fcronsighup 
component of Fcron may allow users to remove arbitrary files or create 
arbitrary empty files.

The vulnerability specifically exists in the fcronsighup utility which 
does signaling of the running fcron daemon. Fcronsighup creates a file 
named in part from a value read from configuration file. This file is 
created using open() with O_RDWR|O_CREAT and 0644 parameters while 
running with full root privileges. After some time has passed the file 
is removed. The filename string is generated by the following code:

snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs);

By padding the front of the filename with a large number of slash 
symbols ("/") it is possible to create or remove a file in an arbitrary 
location. For example: to create the file /tmp/owned, the configuration
option which sets the value for "fcrontabs" can be set to contain
(sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the
string "/tmp/owned". The code will attempt to append the string
"/fcrontab.sig" to this string, but the limitation imposed on it by the
call to snprintf() will cause it to fail. When the filename is resolved,
the extra "/"s in the filename are ignored, resulting in an absolute
reference to the file /tmp/owned.

**** ISSUE 4 -  Information Disclosure Vulnerability ****

Local exploitation of a design error vulnerability in the fcrontab 
component of Fcron may allow users to view the contents of fcron.allow 
and fcron.deny.

The problem specifically exists because Fcron leaks the file descriptors

of the opened files /etc/fcron.allow and /etc/fcron.deny to the invoked 
editor. The default permissions on these files do not allow them to be 
read by unprivileged users:

-rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow
-rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny

An attacker can exploit this vulnerability by setting the EDITOR 
environment variable to a program which outputs the contents of the open

file descriptor; descriptor 3 to view the contents of fcron.allow and 
descriptor 4 to view the contents of fcron.deny.

III. ANALYSIS

Local users can bypass configuration settings, remove arbitrary files, 
create files with root permissions, read the contents of root owned 
files and send a SIGHUP to any process, potentially killing it. These 
actions may allow them to perform a denial of service or potentially 
elevate their privileges.

IV. DETECTION

iDEFENSE has confirmed that Fcron versions 2.0.1 and 2.9.4 are
vulnerable. It is suspected that earlier versions are also affected.

V. WORKAROUND

Consider changing the permissions on the fcronsighup binary to only 
allow trusted users access. Make the binary only executable by users 
in the 'trusted' group by performing the following commands as root:

# chown root:trusted /usr/bin/fcronsighup
# chmod 4110 /usr/bin/fcronsighup

Also consider performing the same operation on the fcrontab binary to
prevent exploitation of Issue 4.

VI. VENDOR RESPONSE

The following releases are available to address these vulnerabilities:

2.0.2 : stable branch
   http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz (France)
   or
   ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz (USA)

2.9.5.1 : dev branch
   http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz  (France)
   or
   ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz (USA)

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:

ISSUE 1 - File contents disclosure
CAN-2004-1030

ISSUE 2 - Configuration Bypass Vulnerability
CAN-2004-1031

ISSUE 3 - File Removal and Empty File Creation Vulnerability
CAN-2004-1032

ISSUE 4 -  Information Disclosure Vulnerability
CAN-2004-1033

These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

10/21/2004  Initial vendor notification
10/21/2004  Initial vendor response
11/15/2004  Coordinated public disclosure

IX. CREDIT

Karol Wiesek is credited with discovering these vulnerabilities.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

11834
Fcron fcronsighup Arbitrary Privileged File Acess
Third-Party Solution
Vendor Verified

- 漏洞描述

- 时间线

2004-11-15 2004-10-21
Unknow 2004-11-15

- 解决方案

Upgrade to version 2.0.2 (stable), 2.9.5.1 (dev), or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Fcron FCronTab/FCronSighUp Multiple Local Vulnerabilities
Design Error 11684
No Yes
2004-11-15 12:00:00 2009-07-12 08:06:00
Discovery of these vulnerabilities is credited to Karol Wiesek.

- 受影响的程序版本

Gentoo Linux
Fcron Fcron 2.9.4
Fcron Fcron 2.0.1
Fcron Fcron 2.9.5 .1
Fcron Fcron 2.0.2

- 不受影响的程序版本

Fcron Fcron 2.9.5 .1
Fcron Fcron 2.0.2

- 漏洞讨论

Fcron is reported prone to multiple local vulnerabilities. The following issues are reported:

A local information disclosure vulnerability is reported to affect fcronsighup. It is reported that the affected utility will attempt to parse configuration files that are passed to the utility as a command line argument.

A local attacker may exploit this condition to reveal the contents of arbitrary files that are owned by the superuser. This vulnerability is assigned the following MITRE CVE identifier: CAN-2004-1030.

An access control bypass vulnerability is also reported to affect fcronsighup. It is reported that the issue exists due to a design error.

A local attacker may exploit this vulnerability to make configuration changes to fcronsighup. This vulnerability is assigned the following MITRE CVE identifier: CAN-2004-1031.

fcronsighup is reported prone to an arbitrary file deletion vulnerability. By exploiting the aforementioned access control bypass vulnerability, a local attacker may influence the fcronsighup configuration and may cause the application to overwrite arbitrary attacker specified files. This vulnerability is assigned the following MITRE CVE identifier: CAN-2004-1032.

Finally it is reported that the fcrontab component of Fcron leaks file descriptors. This can result in sensitive information disclosure. Specifically, fcrontab leaks the file descriptors of the '/etc/fcron.allow' and '/etc/fcron.deny' files. This vulnerability is assigned the following MITRE CVE identifier: CAN-2004-1033.

- 漏洞利用

No exploit is required.

- 解决方案

Gentoo Linux has released advisory GLSA 200411-27 to address these issues. Users of affected packages are urged to execute the following commands with superuser privileges:
emerge --sync
emerge --ask --oneshot --verbose ">=sys-apps/fcron-2.0.2"
Please see the referenced advisory for further information.

The vendor has released the upgrades to address these vulnerabilities.

Trustix has released advisory TSLSA-2005-0001 to address various issues. Please see the referenced advisory for more information.


Fcron Fcron 2.0.1

Fcron Fcron 2.9.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站