Misconfigured CRON Jobs

Introduction

Cron jobs in Linux function similarly to scheduled tasks in Windows, allowing users to schedule the execution of scripts or programs at specific times. During the execution of a cron job, the associated script or program runs with root privileges.

However, if the permissions of the script are misconfigured—for example, if the script is modifiable by any user—an attacker could potentially modify the script. In such a scenario, the attacker can introduce malicious instructions, leading to the execution of unauthorized tasks with root permissions whenever the scheduled cron job runs.

Step-by-Step Guide

Setup

1. Create the Script

Create your script using a text editor. For example, let’s call it myscript.sh. Make sure the script has execution permissions.

touch evil.sh
chmod +x evil.sh

2. Edit the Script

Open evil.sh with a text editor and add the commands or actions you want the script to perform.

#!/bin/bash
# Your script commands here

3. Modify Permissions

To make the script writable by everyone, use the chmod command.

chmod +w evil.sh

This is where the vulnerability is introduced. Anyone can edit the cron script to execute additional commands once the cron jobs are launched as root.

4. Set up the Cron Job

Open your crontab file using the following command:

crontab -e

For example, add the following line to execute the script every day at 9 am:

0 9 * * * /path/to/evil.sh

Here is the crontab syntax - each line specifies a command to be run and the time at which it should run:

(1)(2)(3)(4)(5) <command to be executed>
    -(1) Minute (0 - 59)
    -(2) Hour (0 - 23)
    -(3) Day (1 - 31)
    -(4) Month (1 - 12)
    -(5) Weekday (0 - 7) (Sunday is 0 or 7, Monday is 1...)

e.g. 0 9 * * * /path/to/evil.sh

Make sure to replace /path/to/myscript.sh with the actual path to your script.

5. Save and Exit

Save and exit the crontab file.

  • For nano, press Ctrl + X, then press Y to confirm, and press Enter.
  • For vim, press Esc, then type :wq, and press Enter.

Now, your cron job is set up to run the script at your chosen time, and the script is writable by everyone.

Exploitation

Since the script is modifiable by everyone, anyone can add malicious commands on the script which then be executed once the cron job runs.

As discussed, since cron jobs are launched as root, any commands will be lauched as root.

For example, attackers can grant themselves higher privileges by adding themselves as a sudoer (/etc/sudoers) on the evil.sh script.

echo 'notroot ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers

Video Demonstration

Reference

https://materials.rangeforce.com/tutorial/2020/04/17/Cron-Privilege-Escalation/