Security Incidents mailing list archives
Re: cron exploit?
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Mon, 29 Sep 2003 17:06:42 -0400
I'm assuming you found evidence of this script on the system, otherwise you wouldn't have brought it up. The set of commands in the list definately setup a root shell backdoor, but the attacker would need root level access first and foremost. I see no exploitation of cron here except that they wanted the binary to run, I believe, as a cron job. But, cron runs scripts and programs - that's what cron does. Cron's just doing what cron does. There's no exploit code listed as being run, I just don't see how any of this would be useful unless the attacker had root access in the first place, or - for some unknown reason - the kernel would allow you to overwrite a file with the SUID root binary. But, again, that's not a cron issue at all. The '/sbin/init' modification is troubling, but again has nothing to do with cron nor is it mentioned anywhere in the link you provided.
-Barry Jeremy Hanmer wrote:
Unfortunately, the permissions were all fine. The user apparently poked around cron.daily, but there isn't any evidence that they were ever able to successfully modify anything in there. All files (and the directory itself) were owned by root.root, and all were 755. The *only* file found modified by tripwire was /sbin/init. Nothing else in any library paths, bin paths, or /etc had been touched. On Mon, 2003-09-29 at 10:30, Matt Zimmerman wrote:On Sun, Sep 28, 2003 at 03:09:01PM -0700, Jeremy Hanmer wrote:We just had a Debian (Woody) box get rooted, apparently by a cron exploit mentioned here: http://www.codon.org.uk/~mjg59/kern/jmb73bash We've contacted the package maintainer, but has anybody else seen anything like this floating around yet? It's pretty worrisome since we have a couple hundred linux boxes that must run cron for various reasons.As I said before, there is no evidence here of a cron exploit, and it raises unnecessary alarm to claim that there is one. It looks like you had a world-writable script (or a script owned by the unprivileged user who was exploited) in /etc/cron.daily, and so the intruder modified that script in order to execute commands as root. All signs point to a local configuration error.echo chown root:root /tmp/rmsd >> mkwebuserlist echo chmod 4755 /tmp/rmsd >> mkwebuserlist
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Barry Fitzgerald (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremiah Cornelius (Sep 30)
- Re: cron exploit? Tim Greer (Sep 30)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)