cron_通过Cron升级特权

cron

Cron is a super useful job scheduler in Unix-based operating systems. It allows you to schedule jobs to run periodically.

Cron在基于Unix的操作系统中是超级有用的作业调度程序。 它允许您安排作业定期运行。

Cron is usually used to automate system administration tasks. But for the individual user, you can use Cron to automate tasks like downloading emails, running malware scanners and checking websites for updates.

Cron通常用于自动执行系统管理任务。 但是对于单个用户，您可以使用Cron自动化任务，例如下载电子邮件，运行恶意软件扫描程序以及检查网站是否有更新。

Today, let’s dive into how to use Cron and the security risks of a misconfigured Cron system.

今天，让我们深入研究如何使用Cron以及配置错误的Cron系统的安全风险。

Cron如何运作？ (How Does Cron Work?)

The behavior of the Cron utility can be fully customized. You can configure the behavior of Cron by editing files called “crontabs”. Unix keeps different copies of crontabs for each user. You can edit your own user’s crontab by running:

Cron实用程序的行为可以完全自定义。 您可以通过编辑名为“ crontabs”的文件来配置Cron的行为。 Unix为每个用户保留不同的crontabs副本。 您可以通过运行以下命令来编辑自己用户的crontab：

crontab -e

You can also list the current cronjobs for your user by running:

您还可以通过运行以下命令列出用户的当前cronjobs：

crontab -l

There is also a system-wide crontab that administrators can use to configure system-wide jobs. In Linux systems, the location for the system-wide crontab is /etc/crontab. Cron will run as the root user when executing scripts and commands in this file.

还有一个系统范围的crontab，管理员可以用来配置系统范围的作业。 在Linux系统中，系统级crontab的位置是/ etc / crontab 。 在此文件中执行脚本和命令时，Cron将以root用户身份运行。

Crontab语法 (Crontab syntax)

All crontabs follow the same syntax. Each line specifies a command to be run and the time at which it should run.

所有crontab遵循相同的语法。 每行都指定要运行的命令及其运行时间。

* * * * * <command to be executed>
- - - - -
| | | | |
| | | | ----- Weekday (0 - 7) (Sunday is 0 or 7, Monday is 1...)
| | | ------- Month (1 - 12)
| | --------- Day (1 - 31)
| ----------- Hour (0 - 23)
------------- Minute (0 - 59)

For example, this crontab entry tells the system to “cd” into the directory where I store security scripts and run the “scan.sh” shell script every day at 9:30 pm. (The wildcard character “*” means “all”.)

例如，此crontab条目告诉系统每天晚上9:30将CD放入存储安全脚本的目录中，并运行“ scan.sh” shell脚本。 (通配符“ *”表示“全部”。)

30 21 * * * cd /Users/vickie/scripts/security; ./scan.sh

And in system-wide crontabs, you can also specify the user to run the command as:

在系统级crontabs中，您还可以指定用户以以下方式运行命令：

* * * * * <username> <command to be executed>

For example, this entry will tell Cron to run the same commands, but as the root user:

例如，此条目将告诉Cron以root用户身份运行相同的命令：

30 21 * * * root cd /Users/vickie/scripts/security; ./scan.sh

批量运行脚本 (Running scripts in batches)

It is customary to place scripts that the system-wide crontab uses in the /etc/cron.d, /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly and /etc/cron.monthly directories.

通常将系统级crontab使用的脚本放置在/etc/cron.d、/etc/cron.hourly、/etc/cron.daily、/etc/cron.weekly和/etc/cron.monthly目录中。

You can then batch run the scripts within the directories. For example, the following line in the crontab tells Cron to run all scripts in the /etc/cron.hourly directory as root every hour.

然后，您可以批量运行目录中的脚本。 例如，crontab中的以下行告诉Cron每小时以root用户身份运行/etc/cron.hourly目录中的所有脚本。

01 * * * * root run-parts /etc/cron.hourly

Cron特权升级 (Cron Privilege Escalation)

So how does Cron become a source of vulnerabilities?

那么Cron如何成为漏洞的来源？

By default, Cron runs as root when executing /etc/crontab, so any commands or scripts that are called by the crontab will also run as root. When a script executed by Cron is editable by unprivileged users, those unprivileged users can escalate their privilege by editing this script, and waiting for it to be executed by Cron under root privileges.

默认情况下，Cron在执行/ etc / crontab时以root身份运行，因此crontab调用的任何命令或脚本也将以root身份运行。 当Cron执行的脚本可由非特权用户编辑时，那些非特权用户可以通过编辑该脚本并等待Cron以root特权执行该脚本来提升其特权。

Let’s say the following line is in /etc/crontab. Every day at 9:30 pm, Cron runs the maintenance.sh shell script. Since the script is called from /etc/crontab, it will run under root privileges.

假设以下行在/ etc / crontab中 。 每天晚上9：30，Cron都会运行maintenance.sh shell脚本。 由于脚本是从/ etc / crontab调用的，因此它将以root特权运行。

30 21 * * * cd /path/to/maintenance.sh

Now let’s say that the maintenance.sh script is also editable by everyone, not just the root user. In this case, anyone can add commands to maintenance.sh, and get that command executed by the root user.

现在，我们说维护 .sh脚本还可以由所有人编辑，而不仅仅是root用户。 在这种情况下，任何人都可以将命令添加到maintenance.sh ，并使该命令由root用户执行。

This makes privilege escalation trivial. For example, attackers can grant themselves Superuser privileges by adding themselves as a Sudoer.

这使得特权升级变得微不足道。 例如，攻击者可以通过将自己添加为Sudoer来向自己授予超级用户特权。

echo “vickie ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers

Or, they can gain root access by adding a new root user to the /etc/passwd file. In this command below, “0” is the UID of the root user, so adding a user with the UID of “0” will give that user root privileges. This user will have the username of “vickie” and an empty password:

或者，他们可以通过将新的root用户添加到/ etc / passwd文件来获得root访问权限。 在下面的此命令中，“ 0”是root用户的UID，因此添加UID为“ 0”的用户将为该用户提供root特权。 该用户的用户名为“ vickie”，密码为空：

echo “vickie::0:0:System Administrator:/root/root:/bin/bash” >> /etc/passwd 

And so on. There are many more ways to escalate a user’s privilege on a Unix-based system. By exploiting a misconfiguration in a crontab, the attacker will be able to execute any command of their choosing and gain root privileges.

等等。 在基于Unix的系统上，还有许多种方法可以提升用户的特权。 通过利用crontab中的错误配置，攻击者将能够执行他们选择的任何命令并获得root特权。

如果我的文件权限是安全的怎么办？ (What if my file permissions are secure?)

Another common security hole is vulnerabilities in the scripts themselves. If a script behaves in an insecure manner and you run it as root using Cron, then that could introduce vulnerabilities too.

另一个常见的安全漏洞是脚本本身中的漏洞。 如果脚本的行为不安全，而您使用Cron以root身份运行它，那么这也可能会引入漏洞。

For example, let’s say that the system-wide crontab runs a script that contains a wildcard injection vulnerability.

例如，假设系统级crontab运行包含通配符注入漏洞的脚本。

A wildcard injection vulnerability happens when a program uses the wildcard (*) character in an insecure way. This allows attackers to change the command’s behavior by injecting command flags. In this case, the vulnerability occurs within these lines in the script:

当程序以不安全的方式使用通配符(*)时，会发生通配符注入漏洞。 这使攻击者可以通过注入命令标志来更改命令的行为。 在这种情况下，该漏洞发生在脚本的以下几行中：

cd directory1chown root *

The script goes into directory1 and changes the owner of every file to the root user. If the directory contains the files a.txt, b.txt, and c.txt, the second command would expand into the following, due to the wildcard.

该脚本进入目录1，并将每个文件的所有者更改为root用户。 如果目录包含文件a.txt，b.txt和c.txt ，则由于通配符，第二个命令将扩展为以下命令。

chown root a.txt b.txt c.txt

But the command chown has a flag called “ — reference”, which tells chown to change the owner of the files to the owner of the reference file instead. So this command would change the owner of all files to the user “vickie” instead.

但是命令chown具有一个称为“ — reference”的标志，该标志告诉chown将文件的所有者改为引用文件的所有者。 因此，该命令会将所有文件的所有者改为用户“ vickie”。

chown root a.txt b.txt c.txt --reference=file_owned_by_vickie.txt

So how can a hacker exploit this situation?

那么，黑客如何利用这种情况呢？

First, she can create a file in directory1 using her own user account, called file_owned_by_vickie.txt. Then, she can create another file in directory1 called — reference=file_owned_by_vickie.txt.

首先，她可以使用自己的用户帐户在directory1中创建一个文件，称为file_owned_by_vickie.txt 。 然后，她可以在目录1中创建另一个文件，称为— reference = file_owned_by_vickie.txt 。

Finally, when the script gets executed, the wildcard will notice that the directory contains five files: a.txt, b.txt, c.txt, — reference=file_owned_by_vickie.txt and file_owned_by_vickie.txt. It will expand the command into this one:

最后，执行脚本时，通配符将注意到该目录包含五个文件： a.txt，b.txt，c.txt，— reference = file_owned_by_vickie.txt和file_owned_by_vickie.txt 。 它将命令扩展为以下命令：

chown root a.txt b.txt c.txt --reference=file_owned_by_vickie.txt file_owned_by_vickie.txt

Our “ — reference” flag was injected and thus, the owner of the file_owned_by_vickie.txt file now owns all files in directory1.

注入了“ — reference”标志，因此， file_owned_by_vickie.txt文件的所有者现在拥有directory1中的所有文件。

Normally, chown is executable only by a superuser, but running it through Cron as the root account gives attackers the opportunity to exploit the wildcard injection vulnerability.

通常，chown仅可由超级用户执行，但通过Cron作为根帐户运行它可以使攻击者有机会利用通配符注入漏洞。

结论 (Conclusion)

If your system uses Cron to automate tasks, make sure that none of the scripts that you run through crontab are editable by unprivileged users, and make sure that your Cron scripts are secure! You could accidentally leave your system wide open to privilege escalation attacks.

如果您的系统使用Cron来自动执行任务，请确保没有特权的用户无法编辑通过crontab运行的所有脚本，并确保您的Cron脚本是安全的！ 您可能会意外地使系统对特权升级攻击敞开大门。

Thanks for reading. Follow me on Twitter for more posts like this one.

谢谢阅读。 在Twitter上关注我，以获取更多类似的帖子。

翻译自: https://medium.com/swlh/privilege-escalation-via-cron-812a9da9cf1a

cron