Vigil@nce: FreeBSD, information disclosure via crontab
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the crontab tool of FreeBSD, in order to
determine if a file/directory exists or to compare files.
– Severity: 1/4
– Creation date: 01/03/2011
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
Three vulnerabilities were announced in the crontab tool of
FreeBSD.
The crontab tool calls the stat() function to determine if the
file edited by the crontab editor still exists. However, a
symbolic link can be used to test if another file exists.
[severity:1/4; CVE-2011-1073]
The crontab tool calls realpath() to check if its parameter is a
valid path to /etc/crontab. An attacker can therefore enter in a
secret directory, and then go up, and finally go to /etc/crontab.
The attacker can thus determine if the secret directory exists.
[severity:1/4; CVE-2011-1074]
The crontab tool checks if the MD5 of the edited file changed
before copying it. However, with symbolic links, the attacker can
thus compare two files. [severity:1/4; CVE-2011-1075]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-information-disclosure-via-crontab-10407