Debian Bug report logs - #281436
FWD: iDEFENSE Security Advisory 11.15.04: Multiple Security Vulnerabilities in Fcron

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: submit@bugs.debian.org

Subject: FWD: iDEFENSE Security Advisory 11.15.04: Multiple Security Vulnerabilities in Fcron

Date: Mon, 15 Nov 2004 15:40:00 -0500

[Message part 1 (text/plain, inline)]

Package: fcron
Version: 2.9.5-1
Tags: security
Severity: grave

----- Forwarded message from customer service mailbox <customerservice@idefense.com> -----

From: customer service mailbox <customerservice@idefense.com>
Date: Mon, 15 Nov 2004 15:06:43 -0500
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Subject: iDEFENSE Security Advisory 11.15.04: Multiple Security Vulnerabilities in Fcron

Multiple Security Vulnerabilities in Fcron

iDEFENSE Security Advisory 11.15.04
www.idefense.com/application/poi/display?id=157&type=vulnerabilities
November 15, 2004

I. BACKGROUND

Fcron is a periodical command scheduler which aims at replacing Vixie
Cron, and implements most of its functionalities. More information about
Fcron is available from http://fcron.free.fr/description.php.

II. DESCRIPTION

Multiple vulnerabilities have been found in Fcron.

**** ISSUE 1 - File contents disclosure ****

Local exploitation of a design error vulnerability in the fcronsighup 
component of Fcron may allow users to view the contents of root owned 
files.

The vulnerability specifically exists within the set user id (setuid) 
root program fcronsighup. When the filename of a root owned file is 
passed as an argument to this program, it attempts to parse the file as 
a configuration file. Any lines in the file that are not parsable will 
be output as error messages. The following example demonstrates how an 
attacker can abuse this vulnerability to glean sensitive information 
from the /etc/shadow password file:

bash$ fcronsighup /etc/shadow
14:33:09 Unknown var name at line
root:<password-hash>:12475:0:99999:7::: : line ignored

**** ISSUE 2 - Configuration Bypass Vulnerability ****

Local exploitation of a design error vulnerability in the fcronsighup 
component of Fcron may allow users to bypass access restrictions.

The problem specifically exists in the checking performed by the
fcronsighup utility on the file passed as a configuration file. It
checks if the file is root owned, and not writable by any other users.

When a setuid process is run by an ordinary user the /proc filesystem
pseudofiles associated with it are owned by root and the contents of the

"cmdline" and "evironment" files are controllable by the user.

By pointing the fcronsighup configuration file to a /proc entry owned by

root, such as /proc/self/cmdline or /proc/self/environ, it is possible 
for a user to supply their own configuration settings.

**** ISSUE 3 - File Removal and Empty File Creation Vulnerability****

Local exploitation of a design error vulnerability in the fcronsighup 
component of Fcron may allow users to remove arbitrary files or create 
arbitrary empty files.

The vulnerability specifically exists in the fcronsighup utility which 
does signaling of the running fcron daemon. Fcronsighup creates a file 
named in part from a value read from configuration file. This file is 
created using open() with O_RDWR|O_CREAT and 0644 parameters while 
running with full root privileges. After some time has passed the file 
is removed. The filename string is generated by the following code:

snprintf(sigfile, sizeof(sigfile), "%s/fcrontab.sig", fcrontabs);

By padding the front of the filename with a large number of slash 
symbols ("/") it is possible to create or remove a file in an arbitrary 
location. For example: to create the file /tmp/owned, the configuration
option which sets the value for "fcrontabs" can be set to contain
(sizeof(sigfile)-strlen("/tmp/owned")) "/" characters, followed by the
string "/tmp/owned". The code will attempt to append the string
"/fcrontab.sig" to this string, but the limitation imposed on it by the
call to snprintf() will cause it to fail. When the filename is resolved,
the extra "/"s in the filename are ignored, resulting in an absolute
reference to the file /tmp/owned.

**** ISSUE 4 -  Information Disclosure Vulnerability ****

Local exploitation of a design error vulnerability in the fcrontab 
component of Fcron may allow users to view the contents of fcron.allow 
and fcron.deny.

The problem specifically exists because Fcron leaks the file descriptors

of the opened files /etc/fcron.allow and /etc/fcron.deny to the invoked 
editor. The default permissions on these files do not allow them to be 
read by unprivileged users:

-rw-r----- 1 root fcron 253 Jul 29 12:45 /etc/fcron.allow
-rw-r----- 1 root fcron 255 Jul 29 12:45 /etc/fcron.deny

An attacker can exploit this vulnerability by setting the EDITOR 
environment variable to a program which outputs the contents of the open

file descriptor; descriptor 3 to view the contents of fcron.allow and 
descriptor 4 to view the contents of fcron.deny.

III. ANALYSIS

Local users can bypass configuration settings, remove arbitrary files, 
create files with root permissions, read the contents of root owned 
files and send a SIGHUP to any process, potentially killing it. These 
actions may allow them to perform a denial of service or potentially 
elevate their privileges.

IV. DETECTION

iDEFENSE has confirmed that Fcron versions 2.0.1 and 2.9.4 are
vulnerable. It is suspected that earlier versions are also affected.

V. WORKAROUND

Consider changing the permissions on the fcronsighup binary to only 
allow trusted users access. Make the binary only executable by users 
in the 'trusted' group by performing the following commands as root:

# chown root:trusted /usr/bin/fcronsighup
# chmod 4110 /usr/bin/fcronsighup

Also consider performing the same operation on the fcrontab binary to
prevent exploitation of Issue 4.

VI. VENDOR RESPONSE

The following releases are available to address these vulnerabilities:

2.0.2 : stable branch
   http://fcron.free.fr/archives/fcron-2.0.2.src.tar.gz (France)
   or
   ftp://ftp.seul.org/pub/fcron/fcron-2.0.2.src.tar.gz (USA)

2.9.5.1 : dev branch
   http://fcron.free.fr/archives/fcron-2.9.5.1.src.tar.gz  (France)
   or
   ftp://ftp.seul.org/pub/fcron/fcron-2.9.5.1.src.tar.gz (USA)

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues:

ISSUE 1 - File contents disclosure
CAN-2004-1030

ISSUE 2 - Configuration Bypass Vulnerability
CAN-2004-1031

ISSUE 3 - File Removal and Empty File Creation Vulnerability
CAN-2004-1032

ISSUE 4 -  Information Disclosure Vulnerability
CAN-2004-1033

These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

10/21/2004  Initial vendor notification
10/21/2004  Initial vendor response
11/15/2004  Coordinated public disclosure

IX. CREDIT

Karol Wiesek is credited with discovering these vulnerabilities.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


----- End forwarded message -----

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 281436-close@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: 281436-close@bugs.debian.org

Subject: Bug#281436: fixed in fcron 2.9.5.1-1

Date: Fri, 19 Nov 2004 07:47:07 -0500

Source: fcron
Source-Version: 2.9.5.1-1

We believe that the bug you reported is fixed in the latest version of
fcron, which is due to be installed in the Debian FTP archive:

fcron_2.9.5.1-1.diff.gz
  to pool/main/f/fcron/fcron_2.9.5.1-1.diff.gz
fcron_2.9.5.1-1.dsc
  to pool/main/f/fcron/fcron_2.9.5.1-1.dsc
fcron_2.9.5.1-1_i386.deb
  to pool/main/f/fcron/fcron_2.9.5.1-1_i386.deb
fcron_2.9.5.1.orig.tar.gz
  to pool/main/f/fcron/fcron_2.9.5.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 281436@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <hmh@debian.org> (supplier of updated fcron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Nov 2004 10:20:44 -0200
Source: fcron
Binary: fcron
Architecture: source i386
Version: 2.9.5.1-1
Distribution: unstable
Urgency: high
Maintainer: Russell Coker <russell@coker.com.au>
Changed-By: Henrique de Moraes Holschuh <hmh@debian.org>
Description: 
 fcron      - cron-like scheduler with extended capabilities
Closes: 281436
Changes: 
 fcron (2.9.5.1-1) unstable; urgency=high
 .
   * New upstream source:
      * SECURITY FIX: Due to design errors in the fcronsighup program, Fcron
        may allow a local user to bypass access restrictions (CAN-2004-1031),
        view the contents of root owned files (CAN-2004-1030), remove
        arbitrary files or create empty files (CAN-2004-1032), and send a
        SIGHUP to any process.  A vulnerability also exists in fcrontab which
        may allow local users to view the contents of fcron.allow and
        fcron.deny (CAN-2004-1033).
        Ref: iDEFENSE Security Advisory 11.15.04.
        (closes: #281436)
   * Thanks to Gentoo's GLSA 200411-27 for providing the above text ;-)
   * Add myself to uploaders
   * Use $(MAKE) distclean on clean: target
   * Clean up autom4te.cache directory on clean: target
   * Rename fcron-update-crontabs.1 to fcron-update-crontabs.8, since it
     is in section 8 anyway
   * Add non-virtual-package packages to dependencies on virtual packages
     (syslog-daemon and mail-transport-agent).  Use packages that are
     priority standard or higher for that
   * Fix initscript so that it will start a stopped daemon on "restart"
   * Now compliant to standards-version 3.6.1, bump control file entry
     accordingly
Files: 
 4de4126d9ce1291013e96a3d216e512c 664 admin extra fcron_2.9.5.1-1.dsc
 bf39dcef6d0c452f167f5a31a1231e4e 398400 admin extra fcron_2.9.5.1.orig.tar.gz
 17140e8dc005be1e92d125890b4864bd 10545 admin extra fcron_2.9.5.1-1.diff.gz
 e8e1ad79870a5cca477e6dd3eb5e783f 150498 admin extra fcron_2.9.5.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBnehX7iXePxzbD+MRAqDPAKCMINRKe5+xFohJPrheYYzbfvcbzQCeJcSQ
IApTn8RrozV5eIHLajf3xss=
=W6NO
-----END PGP SIGNATURE-----

Message #21 received at 281436-done@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 281436-done@bugs.debian.org

Subject: Re: FWD: iDEFENSE Security Advisory 11.15.04: Multiple Security Vulnerabilities in Fcron

Date: Sat, 4 Dec 2004 19:26:03 -0800

[Message part 1 (text/plain, inline)]

The version of fcron that addresses these security bugs has reached sarge;
closing (again).

-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.