The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Fcron Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://fcron.free.fr/description.php> Fcron is a periodical command
scheduler which aims at replacing Vixie Cron, and implements most of its
functionalities.
Multiple vulnerabilities have been found in Fcron ranging from simple
information disclosure to configuration bypass and file removal possible
on the server running the daemon.
DETAILS
Vulnerable Systems:
* Fcron versions 2.0.1 and 2.9.4, possible prior
Immune Systems:
* Fcron stable branch version 2.0.2
* Fcron development branch version 2.9.5.1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1030>
CAN-2004-1030 - File contents disclosure
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1031>
CAN-2004-1031 - Configuration Bypass Vulnerability
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1032>
CAN-2004-1032 - File Removal and Empty File Creation Vulnerability
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1033>
CAN-2004-1033 - Information Disclosure Vulnerability
File Contents Diclosure
Local exploitation of a design error vulnerability in the fcronsighup
component of Fcron may allow users to view the contents of root owned
files. The vulnerability is within the fcronsighup root setuid binary.
When the filename of a root owned file is passed as an argument to this
program, it attempts to parse the file as a configuration file. Any lines
in the file that are not parseable will be output as error messages. A
simple example is presented below:
bash$ fcronsighup /etc/shadow
14:33:09 Unknown var name at line
root:<password-hash>:12475:0:99999:7::: : line ignored
Configuration Bypass Vulnerability
Local exploitation of a design error vulnerability in the fcronsighup
component of Fcron may allow users to bypass access restrictions. Checks
are done by the fcronsighup utility on the file passed for file ownership
and permissions. The file in question should be owned by root and not be
world writeable. However, those checks suffer from a problem allowing a
malicious user to trick the program. The 'cmdline' and 'evironment' files
are controllable by the user.
By pointing the fcronsighup configuration file to a /proc entry owned by
root, such as /proc/self/cmdline or /proc/self/environ, it is possible for
a user to supply their own configuration settings.
File Removal and Empty File Creation Vulnerability
Local exploitation of a design error vulnerability in the fcronsighup
component of Fcron may allow users to remove arbitrary files or create
arbitrary empty files. The vulnerability exists in the fcronsighup utility
which performs signaling of the running fcron daemon. Fcronsighup creates
a file named in part from a value read from the configuration file. This
file is created using open() with the 'O_RDWR | O_CREAT' flags and 0644
parameters while running with full root privileges. After some time has
passed the file is removed.
The filename string is generated by the following code:
snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs);
By padding the front of the filename with a large number of slash symbols
("/") it is possible to create or remove a file in an arbitrary location.
For example, to create the file /tmp/owned, the configuration option which
sets the value for "fcrontabs" should be set to contain
(sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the
string "/tmp/owned".
The code will attempt to append the string "/fcrontab.sig" to this string,
but the limitation imposed on it by the call to snprintf() will cause it
to fail. When the filename is resolved, the extra "/"s in the filename are
ignored, resulting in an absolute reference to the file /tmp/owned.
Information Disclosure Vulnerability
Local exploitation of a design error vulnerability in the fcrontab
component of Fcron may allow users to view the contents of fcron.allow and
fcron.deny. The cause of the leak is because Fcron leaks the file
descriptors of the opened files /etc/fcron.allow and /etc/fcron.deny to
the invoked editor. The default permissions on these files do not allow
them to be read by unprivileged users:
-rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow
-rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny
An attacker can exploit this vulnerability by setting the EDITOR
environment variable to a program which outputs the contents of the open
file descriptor. Descriptor 3 to view the contents of fcron.allow and
descriptor 4 to view the contents of fcron.deny.
Impact
Local users can bypass configuration settings, remove arbitrary files,
create files with root permissions, read the contents of root owned files
and send a SIGHUP to any process, potentially killing it. These actions
may allow them to perform a denial of service or potentially elevate their
privileges.
Workaround
Consider changing the permissions on the fcronsighup binary to only allow
trusted users access. Make the binary only executable by users in the
'trusted' group by performing the following commands as root:
# chown root:trusted /usr/bin/fcronsighup
# chmod 4110 /usr/bin/fcronsighup
Also consider performing the same operation on the fcrontab binary to
prevent exploitation of Issue 4.
Vendor Status:
The following releases of fixed versions are available for download:
Fcron version 2.0.2 stable:
<http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz>
http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz
<ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz>
ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz
Fcron version 2.9.5.1 dev:
<http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz>
http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz
<ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz>
ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz
Disclosure Timeline:
10/21/2004 Initial vendor notification
10/21/2004 Initial vendor response
11/15/2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=157&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
