Bugtraq mailing list archives
vixie cron...
From: Michal Zalewski <lcamtuf () TPI PL>
Date: Fri, 17 Nov 2000 05:41:32 +0100
Attached shell-script exploits fopen() + preserved umask vulnerability in Paul Vixie's cron code. It will work on systems where /var/spool/cron is user-readable (eg. 0755) - AFAIR Debian does so. RedHat (at least 6.1 and previous) have mode 0700 on /var/spool/cron, and thus it isn't exploitable in its default configuration... (ahmm, but this does NOT mean it is a problem of o+rx bits, but of insecure umask() and fopen() calls). I have no information about other distributions or systems - this exploit should automagically detect if you are vulnerable or not (checking /var/spool/cron, looking for Paul Vixie's crontab, etc). Please report your findings to me and/or to BUGTRAQ. If any of your users launched this exploit on screen, and then any other user (including superuser) invoked "crontab -e" to change his/her crontab entries, privledges elevation will occour. The main attack is performed while root (or any other user, but this particular exploit is configured against root - feel free to change it) is editing his crontab entry. After any modification, when crontabs are updated, this exploit will try to insert evil code over the original contents of the crontab file (probability of successful exploitation is near to 100%). This, after approximately one minute, leads to account compromise. At the beginning, this exploit is trying to abuse crontab utility in order to create somewhat enormous number of world-writable temporary files (these files are open with fopen(), and then rename()d to destination name - ugh!). It might take some time and cause less or more heavy load on ancient boxes. After finishing it, exploit is waiting, consuming little or no system resources, till "crontab -e" session will appear. For more details, see exploit code. Vendors were not notified because I have no idea which systems and distros are shipping vulnerable configuration, and because pretty good workaround is simple: chmod 700 /var/spool/cron. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Attachment:
xpl
Description:
Current thread:
- vixie cron... Michal Zalewski (Nov 17)
- Re: vixie cron... Szilveszter Adam (Nov 18)
- Re: vixie cron... Dmitry Alyabyev (Nov 18)
- <Possible follow-ups>
- Re: vixie cron... Michal Zalewski (Nov 18)