IRIX crontab problems

Description:IRIX's default crontab contains some bad stuff. Like find that execs rm. Check the bugtrac archives for ways to leverage this to delete anything from the filesystem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Delete any files on the (probably root) filesystem. You should be able to leverage root access from this.
Vulnerable Systems:IRIX, probably 5.3, 6.2, and 6.3
Date:7 May 1997

te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Subject: Irix: misc


3. root crontab

Though suid programs are the most common source of exploits, there're 
places to look.  root's crontab on Irix contains various items.  For
example, it has several entries that do recursive find+rm.  The dangers of
this were discussed on Bugtraq a while back.  As far as I remember, it
allows to remove arbitrary files on the system by exploiting race 
in find in connection with symlinks.  Also, cron runs /usr/etc/fsr weekly 
Sun morning.  fsr is disk defragmentation tool, it writes positions where 
left off to file /usr/tmp/.fsrlast.  It's merely a DOS threat because of 
contents of the file, I can't see any easy way to get root out of it.  Fix
is simple: edit root's crontab and add -f /var/adm/.fsrlast option to fsr.
This problem is not particularly dangerous because /usr/tmp is never 
up, so .fsrlast, once written, will stay there forever, effectively
preventing people from replacing it with symlink.  But on brand new boxes 
may cause bad things. Some interesting results may be obtained by feeding
properly constructed .fsrlast to fsr, but I didn't look closely at it.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: