Package: cron
Version: 3.0pl1-105
It is possible to hide scheduled tasks inside a cron table by using control
characters '\r' and '\b', example:
$ crontab -l
no crontab for alice
$ printf "* * * * * >/tmp/x;\rno crontab for alice\n" | crontab -
// new task (">/tmp/x") is hidden because of the carriage return char
$ crontab -l
no crontab for alice
// even for root
# crontab -l -u alice
no crontab for alice
[ and one minute later ... ]
# ls -l /tmp/x
-rw-r--r-- 1 alice alice 0 juin 2 22:27 /tmp/x
>From a security side, this thing could also allow someone to hide a
backdoor (example: http://vladz.devzero.fr/other/hide-task.sh.txt).
I suggest that the crontab command rejects control characters which can be
used to hide strings (mostly carriage return '\r' and backspace '\b'
characters). I wrote a small patch for this (attached file), let me know if
more improvements are needed.
I am using Debian version 5.0.4 (kernel 2.6.26-2-686).
--- crontab.c 2010-06-11 13:57:08.000000000 +0000
+++ crontab.c.orig 2010-06-11 13:51:13.000000000 +0000
@@ -823,8 +823,19 @@
*/
rewind(NewCrontab);
Set_LineNum(1)
- while (EOF != (ch = get_char(NewCrontab)))
+ while (EOF != (ch = get_char(NewCrontab))) {
+ /* Do not accept carriage return and backspace characters
+ * because they could be used to hide scheduled tasks.
+ */
+ if(ch == '\r' || ch == '\b') {
+ fprintf(stderr, "%s: Some control characters are not allowed\n",
+ ProgramName);
+ fclose(tmp); unlink(tn);
+ return (-2);
+ }
+
putc(ch, tmp);
+ }
if (ferror(tmp) || fflush(tmp) || fsync(fd)) {
fprintf(stderr, "%s: error while writing new crontab to %s\n",
