Date: 31 January 2001
References: ESB-2001.034
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.040 -- FreeBSD-SA-01:09.crontab [REVISED]
crontab allows users to read certain files
31 January 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: crontab
Vendor: FreeBSD
Operating System: FreeBSD
BSD
Unix
Impact: Read-only Data Access
Access Required: Existing Account
Ref: ESB-2001.034
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:09 Security Advisory
FreeBSD, Inc.
Topic: crontab allows users to read certain files [REVISED]
Category: core
Module: crontab
Announced: 2001-01-23
Revised: 2001-01-25
Credits: Kyong-won Cho <dubhe@HACKERSLAB.COM>
Patch obtained from OpenBSD (Todd Miller <millert@openbsd.org>)
Affects: FreeBSD 3.x (all releases), 4.x (all releases prior to 4.2)
FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the
correction date.
Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE)
2000-11-20 (FreeBSD 3.5.1-STABLE)
FreeBSD only: No
0. Revision History
v1.0 2001-01-23 Initial release
v1.1 2001-01-25 Update to credit OpenBSD as source of patch
I. Background
crontab(8) is a program to edit crontab(5) files for use by the cron
daemon, which schedules jobs to run at specified times.
II. Problem Description
crontab(8) was discovered to contain a vulnerability that may allow
local users to read any file on the system that conform to a valid
crontab(5) file syntax. Due to crontab(5) syntax requirements, the
files that may be read is limited and subject to the following
restrictions:
* The file is a valid crontab(5) file, or:
* The file is entirely commented out; every line contains either only
whitespace, or begins with a '#' character.
The greatest security vulnerability is the disclosure of crontab
entries owned by other users, which may contain sensitive data such as
keying material (although this would often be publically disclosed
anyway at the time when the crontab job executes, via process
arguments and environment, etc).
All released versions of FreeBSD prior to the correction date
including FreeBSD 4.1.1 are vulnerable to this problem. The problem
was corrected prior to the release of FreeBSD 4.2.
III. Impact
Malicious local users can read arbitrary local files that conform to
a valid crontab file syntax.
IV. Workaround
One of the following:
1) Utilize crontab allow/deny files (/var/cron/allow and
/var/cron/deny) to limit access to use the crontab(8) utility.
2) Remove the setuid privileges from /usr/sbin/crontab. However, this
will not allow users other than root to use cron.
V. Solution
One of the following:
Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.1.1-STABLE
after the correction date.
To patch your present system: download the relavent patch from the
below location and execute the following commands as root:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/usr.sbin/cron/crontab
# patch -p < /path/to/patch
# make depend && make all install
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOnCTnVUuHi5z0oilAQGinAP8DtcJTo/0t/ajgbhccOSGMm9DHCN+jsou
Nw+3rH07ImrSgeIyINi8d2J+tPL2eakesXm2yKOniuS25PoJN/GuzMC9Qvfybkvg
cmKz3f4Fbzu9auWUUx2c+7GZargpGPRjxuNt86RucYswWjTT96MLs0ORGo9hZbXr
F0kM+1EZoTg=
=ONjc
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOngb9yh9+71yA2DNAQE93wP/TZ3B2vzLbpwrQzmACxNrJvl2pw5mt1pO
Ql9orC0tn5IoeeWKBN6cLlCMxEFUTvcVY9FVRqBVqDVGE25ovUcex8QywH9wI1Lq
PdIRsYG6hzMiHb+kL+dy/oHZgcmcB80Wkc4wT6mpMwfbrhlkROLptrdsDFEjG/OL
9YFnthorEnU=
=e8wy
-----END PGP SIGNATURE-----
|