[Secure-testing-team] Bug#809167: cron: Cron Daemon Use-After-Free Vulnerability May Cause Local Root Privilege Escalation

Cron Daemon Use-After-Free Vulnerability May Cause Local Root Privilege Escalation orange.8361 at gmail.com
Sun Dec 27 18:57:50 UTC 2015 

Package: cron
Version: 3.0pl1-127+deb8u1
Severity: critical
Tags: security
Justification: root security hole


Hi Debian Security Team:

I recently started to read the source code of Cron / Crontab and I think I found a vulnerability in that.

I found that in file "database.c"
    # http://anonscm.debian.org/cgit/pkg-cron/pkg-cron.git/tree/database.c?h=debian/3.0pl1-128

    load_database(...)
        -> process_crontab(...)
            -> force_rescan_user(...)
                free(u);                # line 600
                ...
                link_user(new_db, u);   # line 609

"u" have been freed but still put it into link_user(...).
link_user(...) connect the freed "u" to a linked-list.

So, if the program use the "new_db" later, the program will segment fault. 
Ex. In "cron.c" find_jobs(...) will use the freed "u"


And there is a condition to step into force_rescan_user(...).
In file "database.c" line 599
    if ((u->name = strdup(fname)) == NULL) {
        free(u);
        errno = ENOMEM;
    }

But I think in a low-memory machine or embedded system the condition can be ignored : )


p.s. I think other Linux distribution like ubuntu also have this vulnerablity


Above is the detail of this vulnerability.
Thanks :)



-- Package-specific info:
--- EDITOR:


--- /usr/bin/editor:
/bin/nano

--- /usr/bin/crontab:
-rwxr-sr-x 1 root crontab 36008 Jun 11  2015 /usr/bin/crontab

--- /var/spool/cron:
drwxr-xr-x 3 root root 4096 Jun  7  2015 /var/spool/cron

--- /var/spool/cron/crontabs:
drwx-wx--T 2 root crontab 4096 Dec 27 14:22 /var/spool/cron/crontabs

--- /etc/cron.d:
drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.d

--- /etc/cron.daily:
drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.daily

--- /etc/cron.hourly:
drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.hourly

--- /etc/cron.monthly:
drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.monthly

--- /etc/cron.weekly:
drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.weekly


-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cron depends on:
ii  adduser              3.113+nmu3
ii  debianutils          4.4+b1
ii  dpkg                 1.17.25
ii  init-system-helpers  1.22
ii  libc6                2.19-18
ii  libpam-runtime       1.1.8-3.1
ii  libpam0g             1.1.8-3.1
ii  libselinux1          2.3-2
ii  lsb-base             4.1+Debian13+nmu1

Versions of packages cron recommends:
pn  exim4 | postfix | mail-transport-agent  <none>

Versions of packages cron suggests:
pn  anacron        <none>
pn  checksecurity  <none>
ii  logrotate      3.8.7-1+b1

Versions of packages cron is related to:
pn  libnss-ldap   <none>
pn  libnss-ldapd  <none>
pn  libpam-ldap   <none>
pn  libpam-mount  <none>
pn  nis           <none>
pn  nscd          <none>

-- no debconf information

More information about the Secure-testing-team mailing list