Privilege Escalation Via Cron

Photo by Lukas Blazek on Unsplash

If you use Unix, you should probably use “Cron”. Cron is a super useful job scheduler in Unix-based operating systems. It allows users to schedule jobs that run periodically.

Cron is usually used to automate system administration tasks. But for the individual user, you can use Cron to automate tasks like downloading emails, running malware scanners and checking websites for updates.

Today, let’s dive into how to use Cron and the security risks of a misconfigured Cron system!

How Does Cron Work?

The behavior of the Cron utility can be fully customized. You can configure the behavior of Cron by editing files called “crontabs”. Unix keeps different copies of crontabs for each user in the /var/spool/cron folder. You can edit your own user’s crontab by running:

crontab -e

You can also list the current cronjobs for your user by running:

crontab -l

There is also a system-wide crontab that administrators can use to configure system-wide jobs. By default, Cron will run as the root user when executing scripts and commands in this file. In Linux systems, the location for the system-wide crontab is /etc/crontab.

Files in /etc/cron.d are treated the same way as /etc/crontab. They are effectively “crontab snippets”. Their benefit is that they can be added or removed without modifying the central /etc/crontab file.

Crontab syntax

All crontabs follow the same syntax. Each line specifies a command to be run and the time at which it should run.

(1)(2)(3)(4)(5) <command to be executed>
(1) Minute (0 - 59)
(2) Hour (0 - 23)
(3) Day (1 - 31)
(4) Month (1 - 12)
(5) Weekday (0 - 7) (Sunday is 0 or 7, Monday is 1...)

For example, this crontab entry tells the shell to cd into the directory where I store security scripts and run the shell script every day at 9:30 pm. (The wildcard character “*” means “all”.)

30 21 * * * cd /Users/vickie/scripts/security; ./

And in system-wide crontabs, you can also specify the user to run the command as:

* * * * * <username> <command to be executed>

For example, this entry will tell Cron to run the same commands, but as the root user:

30 21 * * * root cd /Users/vickie/scripts/security; ./

Another useful thing to know is that if you wish to run a script every 5 minutes, then you should put */5 in the “minutes” field, like so:

*/5 * * * * root cd /Users/vickie/scripts/security; ./

Running scripts in batches

It is also customary to place scripts that the system-wide crontab uses in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly and /etc/cron.monthly directories, if they should run after those intervals.

For example, the following line in the crontab tells Cron to run all scripts in the /etc/cron.hourly directory as root every hour.

01 * * * * root run-parts /etc/cron.hourly

Cron Privilege Escalation

So how does Cron become a source of vulnerabilities?

Since Cron runs as root when executing /etc/crontab, any commands or scripts that are called by the crontab will also run as root. When a script executed by Cron is editable by unprivileged users, those unprivileged users can escalate their privilege by editing this script, and waiting for it to be executed by Cron under root privileges!

For example, let’s say the following line is in /etc/crontab. Every day at 9:30 pm, Cron runs the shell script. The script is run under root privileges.

30 21 * * * root /path/to/

Now let’s say that the script is also editable by everyone, not just the root user. In this case, anyone can add commands to, and get that command executed by the root user!

This makes privilege escalation trivial. For example, attackers can grant themselves Superuser privileges by adding themselves as a Sudoer.

echo "vickie ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Or, they can gain root access by adding a new root user to the “/etc/passwd” file. Since “0” is the UID of the root user, adding a user with the UID of “0” will give that user root privileges. This user will have the username of “vickie” and an empty password:

echo "vickie::0:0:System Administrator:/root/root:/bin/bash" >> /etc/passwd

And so on. There are many more ways to escalate a user’s privilege on a Unix-based system. By exploiting a misconfiguration in a crontab, the attacker will be able to execute any command of their choosing and gain root privileges.

What if my file permissions are secure?

Another common security hole is vulnerabilities in the scripts themselves. If a script behaves in an insecure manner and you run it as root using Cron, then that could introduce vulnerabilities too.

For example, attackers might be able to exploit a wildcard injection to escalate their privilege instead..


If your system uses Cron to automate tasks, make sure that none of the scripts that you run through crontab are editable by unprivileged users, and make sure that your Cron scripts are secure! You could accidentally leave your system wide open to privilege escalation attacks.

Vickie Li