|发布时间 :2005-03-01 00:00:00|
|修订时间 :2017-07-10 21:30:40|
[原文]fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to bypass access restrictions and load an arbitrary configuration file by starting an suid process and pointing the fcronsighup configuration file to a /proc entry that is owned by root but modifiable by the user, such as /proc/self/cmdline or /proc/self/environ.
- CVSS (基础分值)
- CPE (受影响的平台与产品)
- OVAL (用于检测的技术细节)
(UNKNOWN) GENTOO GLSA-200411-27
(UNKNOWN) IDEFENSE 20041115 Multiple Security Vulnerabilities in Fcron
(VENDOR_ADVISORY) BID 11684
(UNKNOWN) XF fcron-fcronsighup-restrictions-bypass(18076)
|2005-03-01 00:00:00||2006-09-05 00:00:00|
| Fcron是一款命令执行调度程序，可代替Vixie Cron使用。
- 漏洞信息 (F35076)
|iDEFENSE Security Advisory 2004-11-15.t (PacketStormID:F35076)|
|Karol Wiesek,iDefense Labs idefense.com|
iDEFENSE Security Advisory 11.15.04 - Multiple vulnerabilities have been found in Fcron 2.0.1 and 2.9.4. Local exploitation of vulnerabilities in the fcronsighup component of Fcron may allow users to view the contents of root owned files, bypass access restrictions, and remove arbitrary files or create arbitrary empty files.
Multiple Security Vulnerabilities in Fcron iDEFENSE Security Advisory 11.15.04 www.idefense.com/application/poi/display?id=157&type=vulnerabilities November 15, 2004 I. BACKGROUND Fcron is a periodical command scheduler which aims at replacing Vixie Cron, and implements most of its functionalities. More information about Fcron is available from http://fcron.free.fr/description.php. II. DESCRIPTION Multiple vulnerabilities have been found in Fcron. **** ISSUE 1 - File contents disclosure **** Local exploitation of a design error vulnerability in the fcronsighup component of Fcron may allow users to view the contents of root owned files. The vulnerability specifically exists within the set user id (setuid) root program fcronsighup. When the filename of a root owned file is passed as an argument to this program, it attempts to parse the file as a configuration file. Any lines in the file that are not parsable will be output as error messages. The following example demonstrates how an attacker can abuse this vulnerability to glean sensitive information from the /etc/shadow password file: bash$ fcronsighup /etc/shadow 14:33:09 Unknown var name at line root:<password-hash>:12475:0:99999:7::: : line ignored **** ISSUE 2 - Configuration Bypass Vulnerability **** Local exploitation of a design error vulnerability in the fcronsighup component of Fcron may allow users to bypass access restrictions. The problem specifically exists in the checking performed by the fcronsighup utility on the file passed as a configuration file. It checks if the file is root owned, and not writable by any other users. When a setuid process is run by an ordinary user the /proc filesystem pseudofiles associated with it are owned by root and the contents of the "cmdline" and "evironment" files are controllable by the user. By pointing the fcronsighup configuration file to a /proc entry owned by root, such as /proc/self/cmdline or /proc/self/environ, it is possible for a user to supply their own configuration settings. **** ISSUE 3 - File Removal and Empty File Creation Vulnerability**** Local exploitation of a design error vulnerability in the fcronsighup component of Fcron may allow users to remove arbitrary files or create arbitrary empty files. The vulnerability specifically exists in the fcronsighup utility which does signaling of the running fcron daemon. Fcronsighup creates a file named in part from a value read from configuration file. This file is created using open() with O_RDWR|O_CREAT and 0644 parameters while running with full root privileges. After some time has passed the file is removed. The filename string is generated by the following code: snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs); By padding the front of the filename with a large number of slash symbols ("/") it is possible to create or remove a file in an arbitrary location. For example: to create the file /tmp/owned, the configuration option which sets the value for "fcrontabs" can be set to contain (sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the string "/tmp/owned". The code will attempt to append the string "/fcrontab.sig" to this string, but the limitation imposed on it by the call to snprintf() will cause it to fail. When the filename is resolved, the extra "/"s in the filename are ignored, resulting in an absolute reference to the file /tmp/owned. **** ISSUE 4 - Information Disclosure Vulnerability **** Local exploitation of a design error vulnerability in the fcrontab component of Fcron may allow users to view the contents of fcron.allow and fcron.deny. The problem specifically exists because Fcron leaks the file descriptors of the opened files /etc/fcron.allow and /etc/fcron.deny to the invoked editor. The default permissions on these files do not allow them to be read by unprivileged users: -rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow -rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny An attacker can exploit this vulnerability by setting the EDITOR environment variable to a program which outputs the contents of the open file descriptor; descriptor 3 to view the contents of fcron.allow and descriptor 4 to view the contents of fcron.deny. III. ANALYSIS Local users can bypass configuration settings, remove arbitrary files, create files with root permissions, read the contents of root owned files and send a SIGHUP to any process, potentially killing it. These actions may allow them to perform a denial of service or potentially elevate their privileges. IV. DETECTION iDEFENSE has confirmed that Fcron versions 2.0.1 and 2.9.4 are vulnerable. It is suspected that earlier versions are also affected. V. WORKAROUND Consider changing the permissions on the fcronsighup binary to only allow trusted users access. Make the binary only executable by users in the 'trusted' group by performing the following commands as root: # chown root:trusted /usr/bin/fcronsighup # chmod 4110 /usr/bin/fcronsighup Also consider performing the same operation on the fcrontab binary to prevent exploitation of Issue 4. VI. VENDOR RESPONSE The following releases are available to address these vulnerabilities: 2.0.2 : stable branch http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz (France) or ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz (USA) 184.108.40.206 : dev branch http://fcron.free.fr/archives/fcron-220.127.116.11.src.tar.gz (France) or ftp://ftp.seul.org/pub/fcron/fcron-18.104.22.168.src.tar.gz (USA) VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues: ISSUE 1 - File contents disclosure CAN-2004-1030 ISSUE 2 - Configuration Bypass Vulnerability CAN-2004-1031 ISSUE 3 - File Removal and Empty File Creation Vulnerability CAN-2004-1032 ISSUE 4 - Information Disclosure Vulnerability CAN-2004-1033 These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/21/2004 Initial vendor notification 10/21/2004 Initial vendor response 11/15/2004 Coordinated public disclosure IX. CREDIT Karol Wiesek is credited with discovering these vulnerabilities. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email firstname.lastname@example.org for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
|Fcron fcronsighup Configuration Restriction Bypass|
|Upgrade to version 2.0.2 (stable), 22.214.171.124 (dev), or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.|