First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 134194
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Eugene Ilkov <e.ilkov@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
vc.diff do_command.c.patch patch Eugene Ilkov 2006-05-25 05:56 0000 835 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 134194 depends on: Show dependency tree
Bug 134194 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-05-24 04:54 0000 
It looks like vixie cron has a vulnerability 
There's no setuid check in do_command.c 

#if (defined(BSD)) && (BSD >= 199103) 
setlogin(usernm); 
#endif /* BSD */ 
setuid(e->pwd->pw_uid); /* we aren't root after this... */ 

#endif /* LOGIN_CAP */ 
chdir(env_get("HOME", e->envp)); 

/* 
* Exec the command. 
*/ 

The point is that it run command with 0 uid if it failed after user out of PAM,
ulimit or some else resoures limits

diff -uPr vixie-cron-4.1/do_command.c vixie-cron-4.1.lk/do_command.c 
--- vixie-cron-4.1/do_command.c 2004-08-27 22:09:34.000000000 +0400 
+++ vixie-cron-4.1.lk/do_command.c 2006-05-24 15:02:44.000000000 +0400 
@@ -240,12 +240,19 @@ 
} 
} 
#else 
- setgid(e->pwd->pw_gid); 
+ 
initgroups(usernm, e->pwd->pw_gid); 
#if (defined(BSD)) && (BSD >= 199103) 
setlogin(usernm); 
#endif /* BSD */ 
- setuid(e->pwd->pw_uid); /* we aren't root after this... */ 
+ // setuid(e->pwd->pw_uid); /* we aren't root after this... 
*/ 
+ 
+ if (setuid(e->pwd->pw_uid)) { 
+ fprintf(stderr, 
+ "can't set uid for %s\n", e->pwd->pw_name); 
+ _exit(1); 
+ } 
+ setgid(e->pwd->pw_gid); 

#endif /* LOGIN_CAP */ 
chdir(env_get("HOME", e->envp));

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-05-24 07:49:17 0000 ------- 
ka0ttic please have a look and provide new ebuilds, thx

------- Comment #2 From Eugene Ilkov 2006-05-25 05:56:17 0000 ------- 
Created an attachment (id=87472) [details]
do_command.c.patch

------- Comment #3 From Eugene Ilkov 2006-05-25 05:58:16 0000 ------- 
(From update of attachment 87472 [details])
setgid() first

------- Comment #4 From Tavis Ormandy (RETIRED) 2006-05-25 06:12:48 0000 ------- 
already posted in the forums.

------- Comment #5 From Tavis Ormandy (RETIRED) 2006-05-25 06:15:48 0000 ------- 
reassigning to maintainer, as this is more of an enhancement than exploitable
bug.

------- Comment #6 From Eugene Ilkov 2006-05-25 07:10:43 0000 ------- 
it's pretty easy to exploit
when user out of resources (its were vm/rss/nproc limits in
/etc/security/limits.conf in my case), vixie-cron just runs commands from
user's spool with root privileges
it can be dangerous for hosting providers and everyone who gives access to cron

(In reply to comment #5)
> reassigning to maintainer, as this is more of an enhancement than exploitable
> bug.
>

------- Comment #7 From Tavis Ormandy (RETIRED) 2006-05-25 12:21:28 0000 ------- 
Eugene: ahh, I see what you mean. Re-taking bug..

------- Comment #8 From Thierry Carrez (RETIRED) 2006-05-30 11:30:16 0000 ------- 
cron team : please bump

------- Comment #9 From Stefan Cornelius (RETIRED) 2006-06-01 06:17:17 0000 ------- 
Bumped myself with the patch of Eugene Ilkov (thanks!).

Arches, please test and stable 4.1-r9, thanks

------- Comment #10 From Alec Warner 2006-06-01 07:39:03 0000 ------- 
Stable on x86

------- Comment #11 From Thomas Cort (RETIRED) 2006-06-01 10:59:01 0000 ------- 
alpha stable.

------- Comment #12 From Tobias Scherbaum 2006-06-01 11:16:27 0000 ------- 
ppc stable

------- Comment #13 From Gustavo Zacarias (RETIRED) 2006-06-01 13:07:30 0000 ------- 
sparc stable.

------- Comment #14 From Markus Rothe 2006-06-02 05:58:07 0000 ------- 
stable on ppc64

------- Comment #15 From Thomas Cort (RETIRED) 2006-06-02 06:46:48 0000 ------- 
amd64 stable.

------- Comment #16 From René Nussbaumer 2006-06-03 02:35:37 0000 ------- 
stable on hppa

------- Comment #17 From Sune Kloppenborg Jeppesen 2006-06-09 08:54:25 0000 ------- 
GLSA 200606-07

arm, ia64 and mips please don't forget to mark stable to benifit from the GLSA.

------- Comment #18 From Joshua Kinard 2006-07-08 21:12:21 0000 ------- 
The mips team doth annoint this bug with the Mark of Stability +1.
First Last Prev Next    No search results available      Search page      Enter new bug