[UNIX] Fcron Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 11/16/04

  • Next message: SecuriTeam: "[UNIX] phpBugTracker bug.php SQL Injection" 
    To: list@securiteam.com
Date: 16 Nov 2004 17:30:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Fcron Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://fcron.free.fr/description.php> Fcron is a periodical command
    scheduler which aims at replacing Vixie Cron, and implements most of its
    functionalities.

    Multiple vulnerabilities have been found in Fcron ranging from simple
    information disclosure to configuration bypass and file removal possible
    on the server running the daemon.

    DETAILS

    Vulnerable Systems:
     * Fcron versions 2.0.1 and 2.9.4, possible prior

    Immune Systems:
     * Fcron stable branch version 2.0.2
     * Fcron development branch version 2.9.5.1

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1030>
    CAN-2004-1030 - File contents disclosure
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1031>
    CAN-2004-1031 - Configuration Bypass Vulnerability
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1032>
    CAN-2004-1032 - File Removal and Empty File Creation Vulnerability
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1033>
    CAN-2004-1033 - Information Disclosure Vulnerability

    File Contents Diclosure
    Local exploitation of a design error vulnerability in the fcronsighup
    component of Fcron may allow users to view the contents of root owned
    files. The vulnerability is within the fcronsighup root setuid binary.
    When the filename of a root owned file is passed as an argument to this
    program, it attempts to parse the file as a configuration file. Any lines
    in the file that are not parseable will be output as error messages. A
    simple example is presented below:
    bash$ fcronsighup /etc/shadow
    14:33:09 Unknown var name at line
    root:<password-hash>:12475:0:99999:7::: : line ignored

    Configuration Bypass Vulnerability
    Local exploitation of a design error vulnerability in the fcronsighup
    component of Fcron may allow users to bypass access restrictions. Checks
    are done by the fcronsighup utility on the file passed for file ownership
    and permissions. The file in question should be owned by root and not be
    world writeable. However, those checks suffer from a problem allowing a
    malicious user to trick the program. The 'cmdline' and 'evironment' files
    are controllable by the user.

    By pointing the fcronsighup configuration file to a /proc entry owned by
    root, such as /proc/self/cmdline or /proc/self/environ, it is possible for
    a user to supply their own configuration settings.

    File Removal and Empty File Creation Vulnerability
    Local exploitation of a design error vulnerability in the fcronsighup
    component of Fcron may allow users to remove arbitrary files or create
    arbitrary empty files. The vulnerability exists in the fcronsighup utility
    which performs signaling of the running fcron daemon. Fcronsighup creates
    a file named in part from a value read from the configuration file. This
    file is created using open() with the 'O_RDWR | O_CREAT' flags and 0644
    parameters while running with full root privileges. After some time has
    passed the file is removed.

    The filename string is generated by the following code:
    snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs);

    By padding the front of the filename with a large number of slash symbols
    ("/") it is possible to create or remove a file in an arbitrary location.
    For example, to create the file /tmp/owned, the configuration option which
    sets the value for "fcrontabs" should be set to contain
    (sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the
    string "/tmp/owned".

    The code will attempt to append the string "/fcrontab.sig" to this string,
    but the limitation imposed on it by the call to snprintf() will cause it
    to fail. When the filename is resolved, the extra "/"s in the filename are
    ignored, resulting in an absolute reference to the file /tmp/owned.

    Information Disclosure Vulnerability
    Local exploitation of a design error vulnerability in the fcrontab
    component of Fcron may allow users to view the contents of fcron.allow and
    fcron.deny. The cause of the leak is because Fcron leaks the file
    descriptors of the opened files /etc/fcron.allow and /etc/fcron.deny to
    the invoked editor. The default permissions on these files do not allow
    them to be read by unprivileged users:
    -rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow
    -rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny

    An attacker can exploit this vulnerability by setting the EDITOR
    environment variable to a program which outputs the contents of the open
    file descriptor. Descriptor 3 to view the contents of fcron.allow and
    descriptor 4 to view the contents of fcron.deny.

    Impact
    Local users can bypass configuration settings, remove arbitrary files,
    create files with root permissions, read the contents of root owned files
    and send a SIGHUP to any process, potentially killing it. These actions
    may allow them to perform a denial of service or potentially elevate their
    privileges.

    Workaround
    Consider changing the permissions on the fcronsighup binary to only allow
    trusted users access. Make the binary only executable by users in the
    'trusted' group by performing the following commands as root:
    # chown root:trusted /usr/bin/fcronsighup
    # chmod 4110 /usr/bin/fcronsighup

    Also consider performing the same operation on the fcrontab binary to
    prevent exploitation of Issue 4.

    Vendor Status:
    The following releases of fixed versions are available for download:

    Fcron version 2.0.2 stable:
     <http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz>
    http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz
     <ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz>
    ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz

    Fcron version 2.9.5.1 dev:
     <http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz>
    http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz
     <ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz>
    ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz

    Disclosure Timeline:
    10/21/2004 Initial vendor notification
    10/21/2004 Initial vendor response
    11/15/2004 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] phpBugTracker bug.php SQL Injection"

    Relevant Pages