On 06/11/2010 05:05 PM, vladz wrote:
> Package: cron
> Version: 3.0pl1-105
>=20
> It is possible to hide scheduled tasks inside a cron table by using con=
trol
> characters '\r' and '\b', example:
>=20
> $ crontab -l
> no crontab for alice
>=20
> $ printf "* * * * * >/tmp/x;\rno crontab for alice\n" | crontab -
>=20
> // new task (">/tmp/x") is hidden because of the carriage return char
> $ crontab -l
> no crontab for alice
>=20
> // even for root
> # crontab -l -u alice
> no crontab for alice
>=20
> [ and one minute later ... ]
>=20
> # ls -l /tmp/x
> -rw-r--r-- 1 alice alice 0 juin 2 22:27 /tmp/x
>=20
> From a security side, this thing could also allow someone to hide a
> backdoor (example: http://vladz.devzero.fr/other/hide-task.sh.txt).I may be wrong, but I consider this only a minor problem. 1) the job is still logged to syslog 2) the user does not have elevated permissions 3) I doubt a sysadmin would check user crontabs with crontab -l > I suggest that the crontab command rejects control characters which can= be > used to hide strings (mostly carriage return '\r' and backspace '\b'=20 > characters). I wrote a small patch for this (attached file), let me kno= w if=20 > more improvements are needed. Your solution would probably screw with stdin piping to the executed command (see crontab(5), "sixth field", percent sign). Executed commands may need these characters. The solution I have in mind is to simply fix the output of crontab -l. Regards, Christian
signature.asc
Description: OpenPGP digital signature
