possible exploit bruteforcing on /usr/sbin/cron
Posted: Thu Nov 30, 2006 6:12 amHi!
I just turned on RBAC on one of our servers, and since then cron dies on it's first run, with this error message:
Syslog:
I tried to set ulimit -c 50000 in /etc/init.d/cron just before starting cron, but no use.
I disabled cron's PaX flags:
I use custom 2.4.33.3 kernel with grsec-2.1.9
Cron's ACL:
I just turned on RBAC on one of our servers, and since then cron dies on it's first run, with this error message:
Syslog:
- Code: Select all
Nov 30 11:39:03 bishop kernel: grsec: From x.x.x.x: (default:D:/usr/sbin/cron) possible exploit bruteforcing on /usr/sbin/cron[cron:13136] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/cron[cron:26948] uid/euid:0/0 gid/egid:0/0 banning execution of [<NULL>:3226536896] for 524419 seconds/usr/sbin/cron[cron:13136] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/cron[cron:26948] uid/euid:0/0 gid/egid:0/0
Nov 30 11:39:03 bishop kernel: grsec: From x.x.x.x: (default:D:/usr/sbin/cron) signal 11 sent to /usr/sbin/cron[cron:13136] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/cron[cron:26948] uid/euid:0/0 gid/egid:0/0
Nov 30 11:39:03 bishop kernel: grsec: From x.x.x.x: (default:D:/usr/sbin/cron) denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/cron[cron:13136] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
I tried to set ulimit -c 50000 in /etc/init.d/cron just before starting cron, but no use.
I disabled cron's PaX flags:
- Code: Select all
bishop:~# chpax -v /usr/sbin/cron
----[ chpax 0.7 : Current flags for /usr/sbin/cron (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled
bishop:~#
I use custom 2.4.33.3 kernel with grsec-2.1.9
- Code: Select all
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
# CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
# CONFIG_GRKERNSEC_PAX_RANDKSTACK is not set
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_MEMORY_SANITIZE=y
CONFIG_GRKERNSEC_PAX_MEMORY_UDEREF=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_SOCKET=y
# CONFIG_GRKERNSEC_SOCKET_ALL is not set
# CONFIG_GRKERNSEC_SOCKET_CLIENT is not set
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=33
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
Cron's ACL:
- Code: Select all
subject /usr/sbin/cron dpko {
/ r
/bin rxi
/usr/bin rxi
/sbin rxi
/usr/sbin rxi
/usr/local/sbin rxi
/usr/sbin/cron rxi
/bin/ping rx
/usr/bin/ntpd rx
/usr/sbin/apache2 rx
/usr/sbin/indexer rx
/usr/sbin/sendmail rx
/usr/sbin/delexpired.pl rx
/usr/sbin/checkservice rx
/usr/sbin/syslog-ng rx
/usr/sbin/spamd rx
/etc/init.d/syslog-ng rx
/usr/sbin/couriertcpd rx
/usr/sbin/stunnel rx
/usr/bin/webalizer rx
/etc/logrotate.d rx
/usr/sbin/logrotate rx
/etc/cron.daily/logrotate rx
/var/cache/checkservice rwcdl
/var/log/checkservice rwcdl
/var/log/ntpstats rwcdl
/etc/nsswitch.conf r
/etc/nss-mysql.conf r
/etc/resolv.conf r
/etc/hosts r
/etc/host.conf r
/etc/ld.so.cache r
connect 195.228.240.249:53 stream dgram ip tcp udp
connect 195.228.242.180:53 stream dgram ip tcp udp
connect 195.70.32.131:53 stream dgram ip tcp udp
connect 195.70.32.221:53 stream dgram ip tcp udp
connect 212.40.96.96:53 stream dgram ip tcp udp
connect 195.70.50.3:53 stream dgram ip tcp udp
connect 127.0.0.1:53 stream dgram ip tcp udp
connect 127.0.0.1:3307 stream tcp
connect 127.0.0.1:3308 stream tcp
/dev
/dev/log* rw
/dev/null rwa
/var/run/.nscd_socket rw
/var/run/nscd/socket rw
connect 0.0.0.0:0 ip
/dev/tty rw
/dev/urandom r
/dev/md0 r
/dev/md1 r
/dev/md2 r
/dev/md3 r
/dev/md4 r
/dev/md5 r
/dev/md6 r
/dev/hda* r
/dev/hdb* r
/dev/hdc* r
/dev/hdd* r
/etc/gshadow r
/etc/login.defs r
/etc/default r
/etc/environment r
/etc/pam.d r
/etc/pam.conf r
/etc/security r
/etc/services r
/etc/locale.alias r
/etc/chkrootkit.conf r
/etc/updatedb.conf r
/etc/logrotate.conf r
/etc/mysql r
/etc/raidtab r
/etc/webalizer.d r
/etc/webalizer.conf r
/etc/exim4 rwcdl
/etc/exim4/access rw
/etc/exim4/access.info rw
/etc/inetd.conf r
/etc/passwd r
/etc/group r
/etc/shadow r
/etc/mtab r
/etc/fstab r
/etc/protocols r
/etc/apache-ssl r
/etc/apache-perl r
/etc/apache2 r
/etc/clamav r
/etc/init.d rxi
/etc/cron.d rxi
/etc/cron.hourly rxi
/etc/cron.monthly rxi
/etc/cron.weekly rxi
/etc/cron.daily rxi
/etc/crontab r
/etc/perl r
/etc/checkservice r
/lib rx
/usr/lib rx
/usr/local/lib rx
/usr/X11R6/lib rx
/usr/share r
/usr/local/share r
/var
/var/mail
/var/lock rwcdl
/var/backups rwcdl
/var/account rwcdl
/var/cache/locate rwcdl
/var/cache/man rwcdlm
/var/lib rx
/var/lib/php4 rwcdl
/var/lib/php5 rwcdl
/var/lib/webalizer rwcdl
/var/lib/mailman rwcdlm
/var/lib/logrotate/status rw
/var/spool/cron r
/var/spool/exim4 rwcdl
/var/spool/squirrelmail/attach rwcdl
/var/log rwacdlm
/proc/sys/kernel/version s
/proc/meminfo r
/proc r
/root r
/tmp rwcdix
/var/run rwcdl
-CAP_ALL
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_FSETID
+CAP_FOWNER
+CAP_CHOWN
+CAP_SYS_PACCT
+CAP_DAC_OVERRIDE
+CAP_SYS_ADMIN
### required by su
+CAP_SYS_RESOURCE
+CAP_SYS_NICE
RES_CRASH 1 10m
bind disabled
connect 195.70.50.0/26:80 stream tcp
connect 217.20.133.0/24:80 stream tcp
}