iDEFENSE Security Advisory 11.15.04: Multiple Security Vulnerabilities in Fcron

From: customer service mailbox (customerservice_at_idefense.com)
Date: 11/15/04

  • Next message: Gerald (Jerry) Carter: "[SAMBA] CAN-2004-0882: Possiebl Buffer Overrun in smbd"
    Date: Mon, 15 Nov 2004 15:06:43 -0500
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    
    

    Multiple Security Vulnerabilities in Fcron

    iDEFENSE Security Advisory 11.15.04
    www.idefense.com/application/poi/display?id=157&type=vulnerabilities
    November 15, 2004

    I. BACKGROUND

    Fcron is a periodical command scheduler which aims at replacing Vixie
    Cron, and implements most of its functionalities. More information about
    Fcron is available from http://fcron.free.fr/description.php.

    II. DESCRIPTION

    Multiple vulnerabilities have been found in Fcron.

    **** ISSUE 1 - File contents disclosure ****

    Local exploitation of a design error vulnerability in the fcronsighup
    component of Fcron may allow users to view the contents of root owned
    files.

    The vulnerability specifically exists within the set user id (setuid)
    root program fcronsighup. When the filename of a root owned file is
    passed as an argument to this program, it attempts to parse the file as
    a configuration file. Any lines in the file that are not parsable will
    be output as error messages. The following example demonstrates how an
    attacker can abuse this vulnerability to glean sensitive information
    from the /etc/shadow password file:

    bash$ fcronsighup /etc/shadow
    14:33:09 Unknown var name at line
    root:<password-hash>:12475:0:99999:7::: : line ignored

    **** ISSUE 2 - Configuration Bypass Vulnerability ****

    Local exploitation of a design error vulnerability in the fcronsighup
    component of Fcron may allow users to bypass access restrictions.

    The problem specifically exists in the checking performed by the
    fcronsighup utility on the file passed as a configuration file. It
    checks if the file is root owned, and not writable by any other users.

    When a setuid process is run by an ordinary user the /proc filesystem
    pseudofiles associated with it are owned by root and the contents of the

    "cmdline" and "evironment" files are controllable by the user.

    By pointing the fcronsighup configuration file to a /proc entry owned by

    root, such as /proc/self/cmdline or /proc/self/environ, it is possible
    for a user to supply their own configuration settings.

    **** ISSUE 3 - File Removal and Empty File Creation Vulnerability****

    Local exploitation of a design error vulnerability in the fcronsighup
    component of Fcron may allow users to remove arbitrary files or create
    arbitrary empty files.

    The vulnerability specifically exists in the fcronsighup utility which
    does signaling of the running fcron daemon. Fcronsighup creates a file
    named in part from a value read from configuration file. This file is
    created using open() with O_RDWR|O_CREAT and 0644 parameters while
    running with full root privileges. After some time has passed the file
    is removed. The filename string is generated by the following code:

    snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs);

    By padding the front of the filename with a large number of slash
    symbols ("/") it is possible to create or remove a file in an arbitrary
    location. For example: to create the file /tmp/owned, the configuration
    option which sets the value for "fcrontabs" can be set to contain
    (sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the
    string "/tmp/owned". The code will attempt to append the string
    "/fcrontab.sig" to this string, but the limitation imposed on it by the
    call to snprintf() will cause it to fail. When the filename is resolved,
    the extra "/"s in the filename are ignored, resulting in an absolute
    reference to the file /tmp/owned.

    **** ISSUE 4 - Information Disclosure Vulnerability ****

    Local exploitation of a design error vulnerability in the fcrontab
    component of Fcron may allow users to view the contents of fcron.allow
    and fcron.deny.

    The problem specifically exists because Fcron leaks the file descriptors

    of the opened files /etc/fcron.allow and /etc/fcron.deny to the invoked
    editor. The default permissions on these files do not allow them to be
    read by unprivileged users:

    -rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow
    -rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny

    An attacker can exploit this vulnerability by setting the EDITOR
    environment variable to a program which outputs the contents of the open

    file descriptor; descriptor 3 to view the contents of fcron.allow and
    descriptor 4 to view the contents of fcron.deny.

    III. ANALYSIS

    Local users can bypass configuration settings, remove arbitrary files,
    create files with root permissions, read the contents of root owned
    files and send a SIGHUP to any process, potentially killing it. These
    actions may allow them to perform a denial of service or potentially
    elevate their privileges.

    IV. DETECTION

    iDEFENSE has confirmed that Fcron versions 2.0.1 and 2.9.4 are
    vulnerable. It is suspected that earlier versions are also affected.

    V. WORKAROUND

    Consider changing the permissions on the fcronsighup binary to only
    allow trusted users access. Make the binary only executable by users
    in the 'trusted' group by performing the following commands as root:

    # chown root:trusted /usr/bin/fcronsighup
    # chmod 4110 /usr/bin/fcronsighup

    Also consider performing the same operation on the fcrontab binary to
    prevent exploitation of Issue 4.

    VI. VENDOR RESPONSE

    The following releases are available to address these vulnerabilities:

    2.0.2 : stable branch
       http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz (France)
       or
       ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz (USA)

    2.9.5.1 : dev branch
       http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz (France)
       or
       ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz (USA)

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    following names to these issues:

    ISSUE 1 - File contents disclosure
    CAN-2004-1030

    ISSUE 2 - Configuration Bypass Vulnerability
    CAN-2004-1031

    ISSUE 3 - File Removal and Empty File Creation Vulnerability
    CAN-2004-1032

    ISSUE 4 - Information Disclosure Vulnerability
    CAN-2004-1033

    These are candidates for inclusion in the CVE list
    (http://cve.mitre.org), which standardizes names for security problems.

    VIII. DISCLOSURE TIMELINE

    10/21/2004 Initial vendor notification
    10/21/2004 Initial vendor response
    11/15/2004 Coordinated public disclosure

    IX. CREDIT

    Karol Wiesek is credited with discovering these vulnerabilities.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    X. LEGAL NOTICES

    Copyright (c) 2004 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: Gerald (Jerry) Carter: "[SAMBA] CAN-2004-0882: Possiebl Buffer Overrun in smbd"

    Relevant Pages

    • [UNIX] Fcron Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been found in Fcron ranging from simple ... CAN-2004-1032 - File Removal and Empty File Creation Vulnerability ... The vulnerability is within the fcronsighup root setuid binary. ...
      (Securiteam)
    • [Full-Disclosure] iDEFENSE Security Advisory 11.15.04: Multiple Security Vulnerabilities in Fcron
      ... Fcron is a periodical command scheduler which aims at replacing Vixie ... Local exploitation of a design error vulnerability in the fcronsighup ... root program fcronsighup. ...
      (Full-Disclosure)
    • [Full-disclosure] fcrontab Information Disclosure Vulnerability
      ... fcrontab, part of the fcron scheduler, is vulnerable to several race ... conditions that allow a local attacker to use symbolic links to read ... This vulnerability was discovered by Dan Rosenberg ...
      (Full-Disclosure)
    • [UNIX] Multiple Security Vulnerabilities in Common UNIX Printing System (CUPS)
      ... A local vulnerability in the product allows attackers to gain elevated ... attackers in the worst of the scenarios to gain root privileges. ... Since an attacker has control over both element and value, ... exploit ran against test platform built against glibc-2.2.4-18.7.0.8: ...
      (Securiteam)
    • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
      (Securiteam)