Bug#686650: marked as done (bcron: Possible bcron security breach)

Debian Bug Tracking System Wed, 16 Jan 2013 07:03:25 -0800

Your message dated Wed, 16 Jan 2013 15:02:28 +0000
with message-id <e1tvuvy-0004kp...@franck.debian.org>
and subject line Bug#686650: fixed in bcron 0.09-13
has caused the Debian Bug report #686650,
regarding bcron: Possible bcron security breach
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
686650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: bcron
Version: 0.09-12
Severity: normal
Tags: upstream

Dear Maintainer,

I think I have found a security breach in bcron. Bcron-exec program does not 
close 
its file descriptors when does fork()/exec() to run scheduled jobs. When used 
in 
untrusted environment such as shared hosting, it is possible for one user to 
send
spam from neighbour user's accounts or read other's cron job stdout.

In deeper details. If any user's program runs through cron and generates some 
output to
stdout/stderr, cron must send its output to owner's e-mail. Bcron uses 
start_slot()
function to create a temp file, write e-mail message headers in there to prepare
this mail to be sent and then does fork/exec to run scheduled task and 
redirects 
its stdout/stderr to this particular file. After this task done its work,
bcron in end_slot() compares the length of temp file with stored length of empty
temp file with only headers filled in and if they differ, end_slot() runs 
sendmail
to deliver this message.

start_slot() calls forkexec_slot() to fork and forkexec_slot() calls exec_cmd() 
to exec corresponding task. But before calling execv() it must close all open 
fds
execpt stdin/stdout/stderr. Unfortunatelly, there is no such code in exec_cmd().

If one creates 2 tasks and runs them simultaneously using bcron, the following 
situation occurs:

1. First task (cron1.sh):

root@debian:~# lsof -p 14230
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
cron1.sh 14230 root  cwd    DIR  254,0     4096   902 /root
cron1.sh 14230 root  rtd    DIR  254,0     4096     2 /
cron1.sh 14230 root  txt    REG  254,0   106920   624 /bin/dash
cron1.sh 14230 root  mem    REG  254,0  1583120   732 
/lib/x86_64-linux-gnu/libc-2.13.so
cron1.sh 14230 root  mem    REG  254,0   136936   977 
/lib/x86_64-linux-gnu/ld-2.13.so
cron1.sh 14230 root    0u   CHR    1,3      0t0  1199 /dev/null
cron1.sh 14230 root    1u   REG   0,17   479453 22716 
/tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root    2u   REG   0,17   479453 22716 
/tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root    3r  FIFO    0,8      0t0 55752 pipe
cron1.sh 14230 root   10r   REG  254,0       45   115 /root/cron1.sh

2. second task (cron2.sh):

root@debian:~# lsof -p 14231
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
cron2.sh 14231 root  cwd    DIR  254,0     4096   902 /root
cron2.sh 14231 root  rtd    DIR  254,0     4096     2 /
cron2.sh 14231 root  txt    REG  254,0   106920   624 /bin/dash
cron2.sh 14231 root  mem    REG  254,0  1583120   732 
/lib/x86_64-linux-gnu/libc-2.13.so
cron2.sh 14231 root  mem    REG  254,0   136936   977 
/lib/x86_64-linux-gnu/ld-2.13.so
cron2.sh 14231 root    0u   CHR    1,3      0t0  1199 /dev/null
cron2.sh 14231 root    1u   REG   0,17   316908 22717 
/tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root    2u   REG   0,17   316908 22717 
/tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root    3r  FIFO    0,8      0t0 44757 pipe
cron2.sh 14231 root    6u   REG   0,17   318938 22716 
/tmp/bcron.14096.1346752020.105007 (deleted)
cron2.sh 14231 root   10r   REG  254,0       45   112 /root/cron2.sh

Notice fd #6 is temp file created for gathering output of cron1.sh but cron2.sh 
has access to it and may overwrite it with its own content. And this message 
would be sent from cron1 while cron1 never generated it.

Speaking about shared hosting environment, it is possible for malicious user
to send spam without any traces showing this spam was sent from his/her account.

I'm going to attach path fixing this issue after it is tested and considered 
stable.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bcron depends on:
ii  libbg1  1.106-1
ii  libc6   2.13-35

Versions of packages bcron recommends:
ii  bcron-run                       0.09-12
ii  postfix [mail-transport-agent]  2.9.3-2.1
ii  runit                           2.1.1-6.2
ii  ucspi-unix                      0.36-4

bcron suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: bcron
Source-Version: 0.09-13

We believe that the bug you reported is fixed in the latest version of
bcron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <p...@smarden.org> (supplier of updated bcron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jan 2013 10:13:37 +0000
Source: bcron
Binary: bcron bcron-run
Architecture: all source
Version: 0.09-13
Distribution: unstable
Urgency: medium
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Gerrit Pape <p...@smarden.org>
Description: 
 bcron      - Bruce's cron system (programs)
 bcron-run  - Bruce's cron system
Closes: 686650
Changes: 
 bcron (0.09-13) unstable; urgency=medium
 .
   * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
     new; from upstream git; bcron-exec: Mark all temporary files
     close-on-exec and close selfpipe; this fixes a security bug in
     bcron where cron jobs get access to the temporary output files from
     all other jobs that are still running (closes: #686650).
Checksums-Sha1: 
 acf2f180ec33b25510d373a00edcb8057221548b 1042 bcron_0.09-13.dsc
 13967b5f9bc815f44da4d3c57dfcae0155da00d1 9893 bcron_0.09-13.diff.gz
 f3b7353f6e83f25e2a0015d8bf01793ea1decfec 8930 bcron-run_0.09-13_all.deb
Checksums-Sha256: 
 4ce05a73efee27ba75d6a95efdb5ff8f9915ca70c041a0ef15182c4fb7e8e878 1042 
bcron_0.09-13.dsc
 d7a5c0da1e7cb92faa1fa9a29ef4c6636f1f9df158acd9f94ae35e7e5b304f52 9893 
bcron_0.09-13.diff.gz
 f7700963d863fdaa08f30360b6ceaa1ec303e9fb10185beef4e29bce98d1c3ce 8930 
bcron-run_0.09-13_all.deb
Files: 
 4617fcc0b0c088ea88656e22f6588e3f 1042 admin optional bcron_0.09-13.dsc
 d2fc2b72ebd095d55764e8f6e6ad2e67 9893 admin optional bcron_0.09-13.diff.gz
 2dea60dad96f5c0d3843bab5000527d6 8930 admin optional bcron-run_0.09-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlD2gFMACgkQGJoyQbxwpv/DPACfWNiOscyMpSz8wj03EMExC5CX
SsIAn2nS3o4wWZqwjHU7AIB3IdWioS87
=8npn
-----END PGP SIGNATURE-----

--- End Message ---

Bug#686650: marked as done (bcron: Possible bcron security breach)

Reply via email to