Privilege Escalation via Cron Jobs

Privilege Escalation via Cron Jobs

Cron jobs are scheduled tasks that run automatically at specified intervals. When misconfigured, they can provide avenues for privilege escalation through writable scripts, wildcard misuse, environment variable manipulation, and path injection.

🔍 Cron Jobs Privilege Escalation – Command Awareness

Comprehensive command reference observed during cron job security audits, investigations, and defensive monitoring. Shown for defensive awareness and security hardening purposes only.

---

🔎 Cron Discovery & Enumeration

• List system-wide cron jobs

  ls -la /etc/cron*

  Why used: View cron directories and files for initial assessment.
• Check system crontab

  cat /etc/crontab

  Why used: Examine system-wide scheduled tasks and their configurations.
• List cron directories

  ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.monthly/ /etc/cron.weekly/

  Why used: Discover all scheduled task locations.
• Check user crontabs

  ls -la /var/spool/cron/crontabs/

  Why used: Find user-specific cron jobs (requires appropriate permissions).
• View specific user cron

  crontab -l -u username

  Why used: Check scheduled tasks for specific users (requires privileges).
• Find cron jobs in logs

  grep -i "cron" /var/log/syslog 2>/dev/null | tail -20

  Why used: Review recent cron executions from system logs.

---

📁 File Permission Analysis

• Check writable cron scripts

  find /etc/cron* -type f -perm -o+w 2>/dev/null

  Why used: Identify world-writable cron scripts that could be modified by any user.
• Find writable cron directories

  find /etc/cron* -type d -perm -o+w 2>/dev/null

  Why used: Discover writable cron directories where malicious scripts could be placed.
• Check cron script ownership

  ls -l /etc/cron.d/

  Why used: Review file ownership to identify scripts running with elevated privileges.
• Find SUID/SGID scripts in cron

  find /etc/cron* -type f -perm /6000 2>/dev/null

  Why used: Identify scripts with special privileges that run via cron.

---

📜 Script Content Inspection

• Examine cron script content

  cat /etc/cron.d/backup.sh

  Why used: Review script contents for security issues like command injection or path manipulation.
• Check for wildcard usage

  grep -r "\*" /etc/cron* 2>/dev/null

  Why used: Identify wildcard usage that could be exploited through file creation.
• Search for relative paths

  grep -r "\./" /etc/cron* 2>/dev/null

  Why used: Find scripts using relative paths instead of absolute paths.
• Look for environment variables

  grep -r "PATH\|HOME\|SHELL" /etc/cron* 2>/dev/null

  Why used: Identify environment variable usage that could be manipulated.

---

🎯 Wildcard Exploitation Awareness

• Example vulnerable cron entry

  # Vulnerable: Using wildcard without precautions
  * * * * * root tar -zcf /backups/backup.tar.gz /home/*
                                   

  Why used: Demonstrates risky wildcard usage that could be exploited.
• Check for tar wildcard exploits

  grep -r "tar.*\*" /etc/cron* 2>/dev/null

  Why used: Find tar commands with wildcards that could be vulnerable to argument injection.
• Example file creation test

  touch /home/user/--checkpoint=1
  touch /home/user/--checkpoint-action=exec=shell.elf
                                   

  Why used: Shows how specially named files could trigger command execution (for defensive understanding).
• Secure alternative

  # Secure: Using find instead of wildcard
  * * * * * root find /home -maxdepth 1 -type f -exec tar -zcf /backups/backup.tar.gz {} +
                                   

  Why used: Demonstrates safer alternative to wildcard usage.

---

🛣️ PATH & Environment Manipulation

• Check cron environment variables

  grep -A5 -B5 "PATH=" /etc/crontab

  Why used: Review PATH and other environment variables set in crontab.
• Find scripts without absolute paths

  grep -r "^[^#].*[[:space:]][a-z]" /etc/cron* 2>/dev/null | grep -v "/"

  Why used: Identify commands called without absolute paths.
• Check for writable directories in cron PATH

  grep "^PATH=" /etc/crontab | cut -d= -f2 | tr ":" "\n" | xargs -I {} ls -ld {}

  Why used: Analyze PATH directories for writable entries.

---

⚡ SUID/SGID Cron Scripts

• Find SUID binaries called by cron

  for file in $(grep -r "^[^#]" /etc/cron* 2>/dev/null | awk '{print $NF}' | grep "^/"); do
      if [ -f "$file" ]; then
          find "$file" -type f -perm -4000 2>/dev/null
      fi
  done
                                   

  Why used: Identify SUID binaries executed via cron jobs.
• Check script permissions

  ls -l $(grep -l "#!/bin/bash\|#!/bin/sh" /etc/cron* 2>/dev/null)

  Why used: Review permissions on shell scripts executed by cron.

---

🔗 File Overwrite & Symlink Attacks

• Check for overwritable files

  grep -r ">\|>>" /etc/cron* 2>/dev/null | grep -v "#"

  Why used: Find files that cron jobs write to, which could be symlink targets.
• Look for file creation patterns

  grep -r "touch\|echo.*>\|cat.*>" /etc/cron* 2>/dev/null

  Why used: Identify file creation operations that could be targeted.
• Check log file permissions

  ls -l $(grep -r ">>.*log" /etc/cron* 2>/dev/null | awk '{print $NF}' | cut -d">" -f2)

  Why used: Review permissions on log files written by cron.

---

🧪 Testing & Monitoring Commands

• Monitor cron execution

  tail -f /var/log/syslog | grep -i cron

  Why used: Real-time monitoring of cron job executions.
• Check running processes from cron

  ps aux | grep -E "(cron|CRON)" | grep -v grep

  Why used: Identify currently running cron processes.
• Test cron script manually

  sudo -u username /path/to/cron/script.sh

  Why used: Test cron script execution in controlled environment.
• Check script dependencies

  ldd /path/to/cron/binary 2>/dev/null

  Why used: Review shared library dependencies of cron binaries.

---

🛡️ Defensive Hardening Commands

• Set secure cron file permissions

  chmod 644 /etc/crontab
  chmod 600 /etc/cron.d/*
  find /etc/cron* -type f -exec chmod 600 {} \;
                                   

  Why used: Apply secure permissions to cron configuration files.
• Remove world-writable permissions

  find /etc/cron* -type f -perm -o+w -exec chmod o-w {} \;

  Why used: Eliminate world-writable permissions from cron files.
• Set proper ownership

  chown root:root /etc/crontab
  chown root:root /etc/cron.d/*
                                   

  Why used: Ensure cron files are owned by root.
• Create cron audit script

  #!/bin/bash
  echo "=== Cron Security Audit ==="
  echo "World-writable cron files:"
  find /etc/cron* -type f -perm -o+w 2>/dev/null
  echo "\nCron files not owned by root:"
  find /etc/cron* ! -user root -type f 2>/dev/null
  echo "\nSUID/SGID in cron directories:"
  find /etc/cron* -type f -perm /6000 2>/dev/null
                                   

  Why used: Script to regularly audit cron security.

---

🔧 Secure Configuration Examples

• Secure crontab PATH example

  # Secure PATH configuration
  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
  
  # Use absolute paths for all commands
  * * * * * root /usr/bin/logger "Cron job running"
  0 2 * * * root /usr/bin/apt-get update && /usr/bin/apt-get upgrade -y
                                   

  Why used: Demonstrates secure cron configuration with absolute paths.
• Secure wildcard usage

  # Secure: Using find with null separator
  0 3 * * * root find /home -name "*.log" -type f -mtime +30 -delete
  
  # Secure: Explicit file listing
  0 4 * * * root /usr/bin/tar -zcf /backup/home.tar.gz /home/user1 /home/user2 /home/user3
                                   

  Why used: Shows safe alternatives to dangerous wildcard patterns.
• Secure script execution

  # Secure: Running script with full path and environment reset
  * * * * * root /bin/bash -c 'cd / && /usr/local/bin/backup.sh'
                                   

  Why used: Example of secure script execution with controlled environment.

---

📊 Monitoring & Alerting Setup

• Monitor cron file changes

  # Using auditd
  -a always,exit -F path=/etc/crontab -F perm=wa -k cron_change
  -a always,exit -F dir=/etc/cron.d -F perm=wa -k cron_change
                                   

  Why used: Audit rules to detect modifications to cron configuration.
• Set up cron change alerts

  #!/bin/bash
  # Monitor cron files for changes
  CRON_FILES="/etc/crontab /etc/cron.d/* /etc/cron.hourly/* /etc/cron.daily/* /etc/cron.monthly/* /etc/cron.weekly/*"
  for file in $CRON_FILES; do
      if [ -f "$file" ]; then
          if ! grep -q "$(md5sum "$file")" /var/log/cron_checksums.log 2>/dev/null; then
              echo "ALERT: Cron file $file has changed!" | mail -s "Cron Change Alert" admin@example.com
              md5sum "$file" >> /var/log/cron_checksums.log
          fi
      fi
  done
                                   

  Why used: Script to detect and alert on cron file modifications.
• Log cron execution details

  # In /etc/rsyslog.d/50-cron.conf
  cron.* /var/log/cron.log
                                   

  Why used: Enhanced cron logging configuration.

---

🚨 Recovery & Incident Response

• Check for malicious cron entries

  grep -E "(wget|curl|bash -i|sh -i|python -c|perl -e|nc.*-e|netcat.*-e)" /etc/cron* /var/spool/cron/* 2>/dev/null

  Why used: Search for suspicious patterns indicating compromise.
• Disable all cron jobs temporarily

  systemctl stop cron
  pkill -9 cron
                                   

  Why used: Emergency stop of cron service during incident response.
• Restore from backup

  cp /backup/crontab.clean /etc/crontab
  cp -r /backup/cron.d.clean/* /etc/cron.d/
                                   

  Why used: Restore clean cron configurations from backups.

---

🤖 Automated Security Tools

• Use Lynis for cron auditing

  lynis audit system --tests-from-group "cron"

  Why used: Automated security audit tool with cron-specific checks.
• Check with Tiger

  tiger -c

  Why used: Security scanner that includes cron configuration checks.
• Custom cron auditor script

  #!/bin/bash
  # Cron security scanner
  echo "Cron Security Scan - $(date)"
  echo "================================="
  /usr/local/bin/cron_scanner.sh --check-permissions --check-wildcards --check-paths
                                   

  Why used: Example of automated cron security scanning.

---

✅ Key Security Rules for Cron

• 1. Always use absolute paths

  # GOOD
  /usr/bin/logger "message"
  
  # BAD
  logger "message"
                               

• 2. Avoid dangerous wildcards

  # GOOD
  find /home -name "*.log" -exec rm {} \;
  
  # BAD
  rm /home/*.log
                                   

• 3. Set secure permissions

  chmod 600 /etc/cron.d/*
  chown root:root /etc/cron.d/*
                                   

• 4. Monitor for changes

  auditctl -w /etc/crontab -p wa -k cron_change

---

📋 Quick Reference Checklist

• ✔ Audit cron files monthly
• ✔ Remove world-writable permissions
• ✔ Use absolute paths exclusively
• ✔ Avoid wildcards in dangerous commands
• ✔ Monitor cron logs regularly
• ✔ Keep backups of clean configurations
• ✔ Implement change detection
• ✔ Test cron scripts in safe environment