From owner-freebsd-security Tue Jan 23 13:22: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 18D8D37B69B; Tue, 23 Jan 2001 13:21:26 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab Reply-To: security-advisories@freebsd.org Message-Id: <20010123212126.18D8D37B69B@hub.freebsd.org> Date: Tue, 23 Jan 2001 13:21:26 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:09 Security Advisory FreeBSD, Inc. Topic: crontab allows users to read certain files Category: core Module: crontab Announced: 2001-01-23 Credits: Kyong-won Cho Affects: FreeBSD 3.x (all releases), 4.x (all releases prior to 4.2) FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE) 2000-11-20 (FreeBSD 3.5.1-STABLE) FreeBSD only: No I. Background crontab(8) is a program to edit crontab(5) files for use by the cron daemon, which schedules jobs to run at specified times. II. Problem Description crontab(8) was discovered to contain a vulnerability that may allow local users to read any file on the system that conform to a valid crontab(5) file syntax. Due to crontab(5) syntax requirements, the files that may be read is limited and subject to the following restrictions: * The file is a valid crontab(5) file, or: * The file is entirely commented out; every line contains either only whitespace, or begins with a '#' character. The greatest security vulnerability is the disclosure of crontab entries owned by other users, which may contain sensitive data such as keying material (although this would often be publically disclosed anyway at the time when the crontab job executes, via process arguments and environment, etc). All released versions of FreeBSD prior to the correction date including FreeBSD 4.1.1 are vulnerable to this problem. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can read arbitrary local files that conform to a valid crontab file syntax. IV. Workaround One of the following: 1) Utilize crontab allow/deny files (/var/cron/allow and /var/cron/deny) to limit access to use the crontab(8) utility. 2) Remove the setuid privileges from /usr/sbin/crontab. However, this will not allow users other than root to use cron. V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.1.1-STABLE after the correction date. To patch your present system: download the relavent patch from the below location and execute the following commands as root: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/cron/crontab # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOm32m1UuHi5z0oilAQGA+QQAhArbkzv/lo8QibLjyEFB3lta0IC5HSrJ hPuetiP/XViZNXntIAtm26M9QGRAhw0M1s9CU6PGD0zVJHtfh/nRoNxdU9vFLhJ6 xbJf6Wai6VTJpQK7dwXKIi6nplKlOSLhd6ZhvP1fe/6bDsbYywOxJdYGJZcyKtFA vG1n8lhzhog= =EJ7/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message