CVE-2006-2607
CVSS7.2
发布时间 :2006-05-25 16:02:00
修订时间 :2011-03-07 21:36:34
NMCOPS    

[原文]do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.


[CNNVD]Vixie Cron PAM_Limits 本地权限提升漏洞(CNNVD-200605-470)

        Vixie cron是Paul Vixie写的一种定时执行后台守护进程,许多免费Unix操作系统附带了该软件。
        Vixie cron对进程权限的处理上存在漏洞,本地攻击者可能利用此漏洞获取root用户权限。
        如果在limits.conf中将硬nproc限制设置为10并在/etc/pam.d/crond标注掉"session required pam_limits.so"的话,则达到进程限制的时候新进程会以root用户的身份启动。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10213do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root priv...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2607
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2607
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-470
(官方数据源) CNNVD

- 其它链接及资源

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431
(PATCH)  CONFIRM  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431
http://xforce.iss.net/xforce/xfdb/26691
(UNKNOWN)  XF  vixie-cron-docommand-gain-privilege(26691)
http://www.vupen.com/english/advisories/2006/2075
(UNKNOWN)  VUPEN  ADV-2006-2075
http://www.ubuntulinux.org/support/documentation/usn/usn-778-1
(UNKNOWN)  UBUNTU  USN-778-1
http://www.securityfocus.com/bid/18108
(UNKNOWN)  BID  18108
http://www.securityfocus.com/archive/1/archive/1/435033/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060525 rPSA-2006-0082-1 vixie-cron
http://secunia.com/advisories/35318
(UNKNOWN)  SECUNIA  35318
http://secunia.com/advisories/20380
(VENDOR_ADVISORY)  SECUNIA  20380
http://bugs.gentoo.org/show_bug.cgi?id=134194
(UNKNOWN)  CONFIRM  http://bugs.gentoo.org/show_bug.cgi?id=134194
http://www.redhat.com/support/errata/RHSA-2006-0539.html
(UNKNOWN)  REDHAT  RHSA-2006:0539
http://www.novell.com/linux/security/advisories/2006-05-32.html
(UNKNOWN)  SUSE  SUSE-SA:2006:027
http://support.avaya.com/elmodocs2/security/ASA-2006-168.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-168.htm
http://securitytracker.com/id?1016480
(UNKNOWN)  SECTRACK  1016480
http://security.gentoo.org/glsa/glsa-200606-07.xml
(UNKNOWN)  GENTOO  GLSA-200606-07
http://secunia.com/advisories/21702
(UNKNOWN)  SECUNIA  21702
http://secunia.com/advisories/21032
(UNKNOWN)  SECUNIA  21032
http://secunia.com/advisories/20616
(UNKNOWN)  SECUNIA  20616
http://secunia.com/advisories/20388
(UNKNOWN)  SECUNIA  20388

- 漏洞信息

Vixie Cron PAM_Limits 本地权限提升漏洞
高危 设计错误
2006-05-25 00:00:00 2009-06-09 00:00:00
本地  
        Vixie cron是Paul Vixie写的一种定时执行后台守护进程,许多免费Unix操作系统附带了该软件。
        Vixie cron对进程权限的处理上存在漏洞,本地攻击者可能利用此漏洞获取root用户权限。
        如果在limits.conf中将硬nproc限制设置为10并在/etc/pam.d/crond标注掉"session required pam_limits.so"的话,则达到进程限制的时候新进程会以root用户的身份启动。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.vix.com/

- 漏洞信息 (F78030)

Ubuntu Security Notice 778-1 (PacketStormID:F78030)
2009-06-03 00:00:00
Ubuntu  security.ubuntu.com
advisory,local
linux,ubuntu
CVE-2006-2607
[点击下载]

Ubuntu Security Notice USN-778-1 - It was discovered that cron did not properly check the return code of the setgid() and initgroups() system calls. A local attacker could use this to escalate group privileges. Please note that cron versions 3.0pl1-64 and later were already patched to address the more serious setuid() check referred to by CVE-2006-2607.

===========================================================
Ubuntu Security Notice USN-778-1              June 01, 2009
cron vulnerability
CVE-2006-2607
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  cron                            3.0pl1-92ubuntu1.1

Ubuntu 8.04 LTS:
  cron                            3.0pl1-100ubuntu2.1

Ubuntu 8.10:
  cron                            3.0pl1-104+ubuntu5.1

Ubuntu 9.04:
  cron                            3.0pl1-105ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that cron did not properly check the return code of
the setgid() and initgroups() system calls. A local attacker could use
this to escalate group privileges. Please note that cron versions 3.0pl1-64
and later were already patched to address the more serious setuid() check
referred to by CVE-2006-2607.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1.diff.gz
      Size/MD5:    49957 be99a97742618d1ee98841b007261478
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1.dsc
      Size/MD5:      693 90bd74d44d50f316995ce641b5c1748f
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz
      Size/MD5:    59245 4c64aece846f8483daf440f8e3dd210f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_amd64.deb
      Size/MD5:    66132 3c3567e4041ca920f58aff3ec370785e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_i386.deb
      Size/MD5:    60362 a4f44b8d8c9781053d8f545ebcde2011

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_powerpc.deb
      Size/MD5:    69354 b1c666c74fd2711fb0f942d57326333b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_sparc.deb
      Size/MD5:    61404 7bb09fbd5e5a2c8f479b2cb5296b6053

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1.diff.gz
      Size/MD5:    67887 a5af279d0b7acafd0d885707e2301a97
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1.dsc
      Size/MD5:      795 3680f051b5bbaa54252da7d92f10f232
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz
      Size/MD5:    59245 4c64aece846f8483daf440f8e3dd210f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_amd64.deb
      Size/MD5:    83894 72449a38f5c3ce3b3716e386a1d1fd2f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_i386.deb
      Size/MD5:    79432 240d6d01e1d33d9d606c19780571b0d6

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_lpia.deb
      Size/MD5:    78234 ec5c95520d9e3e94a572c8095e976f0b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_powerpc.deb
      Size/MD5:    91154 5a110f1e1094522323f5773f39b10c93

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_sparc.deb
      Size/MD5:    81388 6f546235162b4c89bc247453418fadfa

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1.diff.gz
      Size/MD5:    69691 5dc135e1d9ffa07bf88a0d11cafad393
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1.dsc
      Size/MD5:     1189 650b8107492613cab5713a594b3662e7
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz
      Size/MD5:    59245 4c64aece846f8483daf440f8e3dd210f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_amd64.deb
      Size/MD5:    88220 889eec9f40f176e3eca03961b2eb6c02

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_i386.deb
      Size/MD5:    83228 40aaf042c987c54d18d2dda7bd1d9b6c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_lpia.deb
      Size/MD5:    81730 480f1d0080ba57093ad5ea831e0eb408

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_powerpc.deb
      Size/MD5:    91906 92ede863ffb9ee89e95d0f0a736d6677

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_sparc.deb
      Size/MD5:    86018 98da4980996f8f0a09759ded88cd0f6d

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1.diff.gz
      Size/MD5:    70384 eb0ce0dd8aab4df19f1e499ac10436b8
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1.dsc
      Size/MD5:     1185 d1b008b50afc357bedbfbc0b8980c547
    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz
      Size/MD5:    59245 4c64aece846f8483daf440f8e3dd210f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_amd64.deb
      Size/MD5:    89016 3d8f8e87c84ac90fdf2c89556656ce32

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_i386.deb
      Size/MD5:    83898 109b7ff37a0f60977448a59571bf0493

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_lpia.deb
      Size/MD5:    82642 e74dfc0bf984db836b34aa19a64b8a24

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_powerpc.deb
      Size/MD5:    92660 fc4bb8046c76e905a4f05461af635a50

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-105ubuntu1.1_sparc.deb
      Size/MD5:    86816 1594345cabfc8957565cc5f771eb1f57


    

- 漏洞信息

25850
Vixie Cron do_command.c Setuid Drop Failure Privilege Escalation
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Vixie Cron PAM_Limits Local Privilege Escalation Vulnerability
Design Error 18108
No Yes
2006-05-25 12:00:00 2009-06-01 07:49:00
Discovery is credited to Roman Veretelnikov.

- 受影响的程序版本

Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 2.0
TransSoft Broker FTP Server 8.0
TransSoft Broker FTP Server 7.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. UnitedLinux 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core4
Red Hat Enterprise Linux AS 4
Paul Vixie Vixie Cron 4.1
+ Red Hat Fedora Core3
Gentoo Linux
Avaya Messaging Storage Server MM3.0

- 漏洞讨论

Vixie cron is prone to a local privilege-escalation vulnerability because the application fails to properly drop superuser privileges in certain circumstances when executing jobs.

This issue allows local attackers who have been authorized to execute cron jobs to run arbitrary commands with superuser privileges. This facilitates the complete compromise of affected computers.

Vixie cron 4.1 is vulnerable when used in conjunction with pam_limits. Other versions may also be affected.

- 漏洞利用

To trigger this issue, attackers use the affected cron utility in a normal manner.

- 解决方案

Updates are available. Please see the references for more information.


Ubuntu Ubuntu Linux 8.04 LTS powerpc

Ubuntu Ubuntu Linux 8.10 powerpc

Ubuntu Ubuntu Linux 8.04 LTS sparc

Ubuntu Ubuntu Linux 8.10 i386

Ubuntu Ubuntu Linux 6.06 LTS sparc

Ubuntu Ubuntu Linux 8.04 LTS amd64

Ubuntu Ubuntu Linux 6.06 LTS powerpc

Ubuntu Ubuntu Linux 9.04 sparc

Ubuntu Ubuntu Linux 9.04 powerpc

Ubuntu Ubuntu Linux 8.04 LTS lpia

Ubuntu Ubuntu Linux 6.06 LTS i386

Ubuntu Ubuntu Linux 8.10 lpia

Ubuntu Ubuntu Linux 6.06 LTS amd64

Ubuntu Ubuntu Linux 9.04 i386

Ubuntu Ubuntu Linux 8.10 sparc

Ubuntu Ubuntu Linux 9.04 lpia

Ubuntu Ubuntu Linux 8.04 LTS i386

Ubuntu Ubuntu Linux 9.04 amd64

Ubuntu Ubuntu Linux 8.10 amd64

Paul Vixie Vixie Cron 4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站