[Secure-testing-team] Bug#691275: cron: symlink races in crontab

Jann Horn jannhorn at googlemail.com
Tue Oct 23 19:28:05 UTC 2012 

Package: cron
Version: 3.0pl1-124
Severity: normal
Tags: security

Debian's crontab contains multiple symlink races. If
crontab was setuid root (which I think it normally is), this could be used
to e.g. wipe directories (vulnerable code is in cleanup_tmp_crontab) or for
other attacks. However, as it is only setgid crontab on debian, the only
attack this can be used for is to block cron access for a user named
"crontab" by invoking "crontab -e" and replacing the
folder in /tmp with a symlink before crontab creates the file "crontab"
inside the folder. The code vulnerable to this attack is in
create_tmp_crontab.

So, the code is not really practically exploitable because the only special
thing the crontab group is allowed to do is creating files in the cron
spool directory, but theoretically, it's very vulnerable.

-- Package-specific info:
--- EDITOR:


--- /usr/bin/editor:
/bin/nano

--- /usr/bin/crontab:
-rwxr-sr-x 1 root crontab 35880 Jul  3 23:41 /usr/bin/crontab

--- /var/spool/cron:
drwxr-xr-x 5 root root 4096 Sep 15 15:57 /var/spool/cron

--- /var/spool/cron/crontabs:
drwx-wx--T 2 root crontab 4096 Oct 23 17:11 /var/spool/cron/crontabs

--- /etc/cron.d:
drwxr-xr-x 2 root root 4096 Oct  7 15:11 /etc/cron.d

--- /etc/cron.daily:
drwxr-xr-x 2 root root 4096 Oct  6 23:53 /etc/cron.daily

--- /etc/cron.hourly:
drwxr-xr-x 2 root root 4096 Sep 15 15:27 /etc/cron.hourly

--- /etc/cron.monthly:
drwxr-xr-x 2 root root 4096 Sep 16 15:50 /etc/cron.monthly

--- /etc/cron.weekly:
drwxr-xr-x 2 root root 4096 Sep 15 16:08 /etc/cron.weekly


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cron depends on:
ii  adduser         3.113+nmu3
ii  debianutils     4.3.2
ii  dpkg            1.16.8
ii  libc6           2.13-35
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1
ii  libselinux1     2.1.9-5
ii  lsb-base        4.1+Debian7

Versions of packages cron recommends:
ii  exim4                                      4.80-5
ii  exim4-daemon-light [mail-transport-agent]  4.80-5

Versions of packages cron suggests:
ii  anacron        2.3-19
pn  checksecurity  <none>
ii  logrotate      3.8.1-4

Versions of packages cron is related to:
pn  libnss-ldap   <none>
pn  libnss-ldapd  <none>
pn  libpam-ldap   <none>
pn  libpam-mount  <none>
pn  nis           <none>
pn  nscd          <none>

-- no debconf information

More information about the Secure-testing-team mailing list