Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
BID:1960
Info
Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
| Bugtraq ID: | 1960 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 17 2000 12:00AM |
| Updated: | Nov 17 2000 12:00AM |
| Credit: | This vulnerability was first announced on the BugTraq mailing list by Michal Zalewski <[email protected]> on November 17, 2000. |
| Vulnerable: |
Paul Vixie Vixie Cron 3.0 pl1 |
| Not Vulnerable: | |
Discussion
Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
Vixie cron is a scheduling daemon written by Paul Vixie, and distributed with many free UNIX Operating Systems. A problem exists that could allow a user to execute commands with priviledge of another user.
The problem occurs in the /var/spool/cron directory and the handling of the temporary files created when one edits crontab. This vulnerability affects systems with permission of 0755 set on the /var/spool/cron directory. Files created in the /var/spool/cron directory by crontab inherit root ownership and group, and UMASK of the user executing crontab. The files created are uniform in name, with the file extension ending in the PID of the crontab process being executed. Crontab also does not check for the existance of a file before it opens a session and begins. It is possible for a malicious user to generate multiple temporary files in /var/spool/cron with world write permission. A user executing crontab -e would have their state stored in a file that could be written to by the malicious user. The attacker could then write a malicious cron entry into the temporary file, which would be saved. This would result arbitrary commands in the malicious crontab being executed with the priviledges of the target user.
Vixie cron is a scheduling daemon written by Paul Vixie, and distributed with many free UNIX Operating Systems. A problem exists that could allow a user to execute commands with priviledge of another user.
The problem occurs in the /var/spool/cron directory and the handling of the temporary files created when one edits crontab. This vulnerability affects systems with permission of 0755 set on the /var/spool/cron directory. Files created in the /var/spool/cron directory by crontab inherit root ownership and group, and UMASK of the user executing crontab. The files created are uniform in name, with the file extension ending in the PID of the crontab process being executed. Crontab also does not check for the existance of a file before it opens a session and begins. It is possible for a malicious user to generate multiple temporary files in /var/spool/cron with world write permission. A user executing crontab -e would have their state stored in a file that could be written to by the malicious user. The attacker could then write a malicious cron entry into the temporary file, which would be saved. This would result arbitrary commands in the malicious crontab being executed with the priviledges of the target user.
Exploit / POC
Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
This exploit was written by Michal Zalewski <[email protected]> and posted to Bugtraq on November 17, 2000:
This exploit was written by Michal Zalewski <[email protected]> and posted to Bugtraq on November 17, 2000:
Solution / Fix
Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
Paul Vixie Vixie Cron 3.0 pl1
Paul Vixie Vixie Cron 3.0 pl1
-
Debian 2.2 alpha cron_3.0pl1-57.1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/cron _3.0pl1-57.1_alpha.deb -
Debian 2.2 arm cron_3.0pl1-57.1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3 .0pl1-57.1_arm.deb -
Debian 2.2 i386 cron_3.0pl1-57.1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3 .0pl1-57.1_i386.deb -
Debian 2.2 m68k cron_3.0pl1-57.1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/cron_ 3.0pl1-57.1_m68k.deb -
Debian 2.2 ppc cron_3.0pl1-57.1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/cr on_3.0pl1-57.1_powerpc.deb -
Debian 2.2 sparc cron_3.0pl1-57.1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/cron _3.0pl1-57.1_sparc.deb
References
Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
References:
References: