CVE-2006-2607
published 2006-05-25CVE-2006-2607: do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid…
PriorityP427high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.56%
42.6th percentile
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cron_project | cron | >= 0 < 3.0pl1-64 | 3.0pl1-64 |
| cron_project | cron | >= 0 < 3.0pl1-64 | 3.0pl1-64 |
| cron_project | cron | >= 0 < 3.0pl1-64 | 3.0pl1-64 |
| cron_project | cron | >= 0 < 3.0pl1-64 | 3.0pl1-64 |
| debian | cron | < cron 3.0pl1-64 (bookworm) | cron 3.0pl1-64 (bookworm) |
| paul_vixie | vixie_cron | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2MEDIUM
vendor_redhat7.2HIGH
vendor_ubuntu7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m6pc-rv4c-hqmg: do_command
ghsa_unreviewed·2022-05-01
CVE-2006-2607 [HIGH] GHSA-m6pc-rv4c-hqmg: do_command
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
OSV
CVE-2006-2607: do_command
osv·2006-05-25·CVSS 7.2
CVE-2006-2607 [HIGH] CVE-2006-2607: do_command
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
Ubuntu
cron vulnerability
vendor_ubuntu·2009-06-01·CVSS 7.2
CVE-2006-2607 [HIGH] cron vulnerability
Title: cron vulnerability
Summary: cron vulnerability
It was discovered that cron did not properly check the return code of
the setgid() and initgroups() system calls. A local attacker could use
this to escalate group privileges. Please note that cron versions 3.0pl1-64
and later were already patched to address the more serious setuid() check
referred to by CVE-2006-2607.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
Jobs start from root when pam_limits enabled
vendor_redhat·2006-01-20·CVSS 7.2
CVE-2006-2607 [HIGH] Jobs start from root when pam_limits enabled
Jobs start from root when pam_limits enabled
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-2607: cron - do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a ...
vendor_debian·2006·CVSS 7.2
CVE-2006-2607 [HIGH] CVE-2006-2607: cron - do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a ...
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
Scope: local
bookworm: resolved (fixed in 3.0pl1-64)
bullseye: resolved (fixed in 3.0pl1-64)
forky: resolved (fixed in 3.0pl1-64)
sid: resolved (fixed in 3.0pl1-64)
trixie: resolved (fixed in 3.0pl1-64)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-2607 Jobs start from root when pam_limits enabled
bugzilla·2006-05-25·CVSS 7.2
CVE-2006-2607 [HIGH] CVE-2006-2607 Jobs start from root when pam_limits enabled
CVE-2006-2607 Jobs start from root when pam_limits enabled
+++ This bug was initially created as a clone of Bug #178431 +++
From Bugzilla Helper:
User-Agent: Opera/8.50 (Windows NT 5.0; U; ru)
Description of problem:
I set hard nproc limit in limits.conf to 10 and uncommented "session required
pam_limits.so" in /etc/pam.d/crond
When process limit have reached new processes start from root.
Version-Release number of selected component (if applicable):
vixie-cron-4.1-36.FC4 pam-0.79-9.6
How reproducible:
Always
Steps to Reproduce:
1. Add "username hard nproc 10" to /etc/security/limits.conf
2. Uncomment line with pam_limits.so in /etc/pam.d/crond
3. Add jobs in username crontab:
* * * * * /path/to/script.pl
script.pl:
#!/usr/bin/perl
open file, '>/path/to/pid.'.$$;
close file;
while(1
Bugzilla
CVE-2006-2607 Jobs start from root when pam_limits enabled
bugzilla·2006-01-20·CVSS 7.2
CVE-2006-2607 [HIGH] CVE-2006-2607 Jobs start from root when pam_limits enabled
CVE-2006-2607 Jobs start from root when pam_limits enabled
From Bugzilla Helper:
User-Agent: Opera/8.50 (Windows NT 5.0; U; ru)
Description of problem:
I set hard nproc limit in limits.conf to 10 and uncommented "session required
pam_limits.so" in /etc/pam.d/crond
When process limit have reached new processes start from root.
Version-Release number of selected component (if applicable):
vixie-cron-4.1-36.FC4 pam-0.79-9.6
How reproducible:
Always
Steps to Reproduce:
1. Add "username hard nproc 10" to /etc/security/limits.conf
2. Uncomment line with pam_limits.so in /etc/pam.d/crond
3. Add jobs in username crontab:
* * * * * /path/to/script.pl
script.pl:
#!/usr/bin/perl
open file, '>/path/to/pid.'.$$;
close file;
while(1) { sleep(1); }
Actual Results: After some time "ps aux" shows
http://bugs.gentoo.org/show_bug.cgi?id=134194http://secunia.com/advisories/20380http://secunia.com/advisories/20388http://secunia.com/advisories/20616http://secunia.com/advisories/21032http://secunia.com/advisories/21702http://secunia.com/advisories/35318http://security.gentoo.org/glsa/glsa-200606-07.xmlhttp://securitytracker.com/id?1016480http://support.avaya.com/elmodocs2/security/ASA-2006-168.htmhttp://www.novell.com/linux/security/advisories/2006-05-32.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0539.htmlhttp://www.securityfocus.com/archive/1/435033/100/0/threadedhttp://www.securityfocus.com/bid/18108http://www.vupen.com/english/advisories/2006/2075https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431https://exchange.xforce.ibmcloud.com/vulnerabilities/26691https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10213https://usn.ubuntu.com/778-1/http://bugs.gentoo.org/show_bug.cgi?id=134194http://secunia.com/advisories/20380http://secunia.com/advisories/20388http://secunia.com/advisories/20616http://secunia.com/advisories/21032http://secunia.com/advisories/21702http://secunia.com/advisories/35318http://security.gentoo.org/glsa/glsa-200606-07.xmlhttp://securitytracker.com/id?1016480http://support.avaya.com/elmodocs2/security/ASA-2006-168.htmhttp://www.novell.com/linux/security/advisories/2006-05-32.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0539.htmlhttp://www.securityfocus.com/archive/1/435033/100/0/threadedhttp://www.securityfocus.com/bid/18108http://www.vupen.com/english/advisories/2006/2075https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431https://exchange.xforce.ibmcloud.com/vulnerabilities/26691https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10213https://usn.ubuntu.com/778-1/
2006-05-25
Published