Security Incidents mailing list archives

Re: cron exploit?

From: Matt Zimmerman <mdz () debian org>
Date: Mon, 29 Sep 2003 13:30:24 -0400

On Sun, Sep 28, 2003 at 03:09:01PM -0700, Jeremy Hanmer wrote:

We just had a Debian (Woody) box get rooted, apparently by a cron
exploit mentioned here:  http://www.codon.org.uk/~mjg59/kern/jmb73bash

We've contacted the package maintainer, but has anybody else seen
anything like this floating around yet?  It's pretty worrisome since we
have a couple hundred linux boxes that must run cron for various
reasons.


As I said before, there is no evidence here of a cron exploit, and it raises
unnecessary alarm to claim that there is one.  It looks like you had a
world-writable script (or a script owned by the unprivileged user who was
exploited) in /etc/cron.daily, and so the intruder modified that script in
order to execute commands as root.

All signs point to a local configuration error.

echo chown root:root /tmp/rmsd >> mkwebuserlist
echo chmod 4755 /tmp/rmsd >> mkwebuserlist


-- 
 - mdz

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
  - Re: cron exploit? Jeremy Hanmer (Sep 29)
    - Re: cron exploit? Barry Fitzgerald (Sep 29)
    - Re: cron exploit? Jeremy Hanmer (Sep 29)
    - Re: cron exploit? Matt Zimmerman (Sep 29)
    - Re: cron exploit? Jeremiah Cornelius (Sep 30)
    - Re: cron exploit? Tim Greer (Sep 30)
    - Re: cron exploit? Matt Zimmerman (Sep 29)