Home page logo

fulldisclosure logo Full Disclosure mailing list archives

fcrontab Information Disclosure Vulnerability
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 3 Mar 2010 19:06:22 -0500

 fcrontab Information Disclosure Vulnerability
 March 3, 2010


fcrontab, part of the fcron scheduler, is vulnerable to several race
conditions that allow a local attacker to use symbolic links to read
unauthorized files.  On systems where fcrontab is installed with its
own "fcron" group, this allows an attacker to read other non-root
users' crontabs and fcron configuration files.  On systems where
fcrontab is installed suid root, this allows an attacker to read arbitrary


The developer has released a new version, 3.0.5, to address these
vulnerabilities.  It is available for download on the developer's
website, http://fcron.free.fr.  Users are advised to recompile from
source or download updated packages from downstream distributors
when they become available.


This vulnerability was discovered by Dan Rosenberg
(dan.j.rosenberg () gmail com).
Thanks to Thibault Godouet for his prompt response and new release.


CVE identifier CVE-2010-0792 has been assigned to this issue.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • fcrontab Information Disclosure Vulnerability Dan Rosenberg (Mar 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]