From e83611769a7a5feeeae8e483559452d4c5688733 Mon Sep 17 00:00:00 2001
From: mzfr <github@mzfr.in>
Date: Sat, 10 Jan 2026 00:56:29 +0800
Subject: [PATCH 1/2] Added testbed for osv-scalibr cronjob misconfig detector

https://github.com/google/osv-scalibr/issues/1262
https://github.com/google/osv-scalibr/pull/1408
---
 cronjob-privesc/Dockerfile                 | 30 ++++++++++++++
 cronjob-privesc/README.md                  | 46 ++++++++++++++++++++++
 cronjob-privesc/configs/cron.d/misconfig   |  3 ++
 cronjob-privesc/docker-compose.yml         |  7 ++++
 cronjob-privesc/scripts/insecure_script.sh |  2 +
 cronjob-privesc/scripts/weak_script.sh     |  2 +
 6 files changed, 90 insertions(+)
 create mode 100644 cronjob-privesc/Dockerfile
 create mode 100644 cronjob-privesc/README.md
 create mode 100644 cronjob-privesc/configs/cron.d/misconfig
 create mode 100644 cronjob-privesc/docker-compose.yml
 create mode 100644 cronjob-privesc/scripts/insecure_script.sh
 create mode 100644 cronjob-privesc/scripts/weak_script.sh

diff --git a/cronjob-privesc/Dockerfile b/cronjob-privesc/Dockerfile
new file mode 100644
index 00000000..cbe04118
--- /dev/null
+++ b/cronjob-privesc/Dockerfile
@@ -0,0 +1,30 @@
+FROM ubuntu:22.04
+
+# Install cron
+RUN apt-get update && apt-get install -y cron
+
+# Create an insecure directory for world-writable execution
+RUN mkdir -p /opt/insecure_dir && chmod 777 /opt/insecure_dir
+COPY scripts/insecure_script.sh /opt/insecure_dir/insecure_script.sh
+RUN chmod 755 /opt/insecure_dir/insecure_script.sh
+
+# Create a script with weak file permissions (world-writable)
+COPY scripts/weak_script.sh /usr/local/bin/weak_script.sh
+RUN chmod 777 /usr/local/bin/weak_script.sh
+
+# --- Injections for cronjobprivesc detector ---
+
+# 1. World-writable directory execution (root cron job)
+# Schedule insecure_script.sh to run from world-writable /opt/insecure_dir
+RUN echo "*/1 * * * * root /opt/insecure_dir/insecure_script.sh" >> /etc/crontab
+
+# 2. Relative path in cron.d (root cron job)
+COPY configs/cron.d/misconfig /etc/cron.d/misconfig
+RUN chmod 644 /etc/cron.d/misconfig
+
+# 3. Weak file permissions (world-writable script)
+# Schedule the world-writable script in /etc/crontab so it is guaranteed to be scanned
+RUN echo "*/2 * * * * root /usr/local/bin/weak_script.sh" >> /etc/crontab
+
+# Keep cron running in the foreground
+CMD cron -f
\ No newline at end of file
diff --git a/cronjob-privesc/README.md b/cronjob-privesc/README.md
new file mode 100644
index 00000000..41c3d00f
--- /dev/null
+++ b/cronjob-privesc/README.md
@@ -0,0 +1,46 @@
+# Cron Job Privilege Escalation Testbed
+
+This directory contains the deployment configs for a Linux environment with misconfigured cron jobs that can lead to privilege escalation. It includes:
+*   Root cron jobs executing scripts in world-writable directories (`/opt/insecure_dir`).
+*   Relative paths in privileged cron jobs (`/etc/cron.d/misconfig`).
+*   World-writable scripts executed by root (`/usr/local/bin/weak_script.sh`).
+
+## Running the Testbed
+
+To start the vulnerable container:
+
+```bash
+docker-compose up -d --build
+```
+
+## Steps to Reproduce / Verify
+
+### 1. Verify Vulnerable Configurations Manually
+You can inspect the running container to confirm the misconfigurations exist (e.g., world-writable directories and scripts):
+
+```bash
+# Get the container ID
+CONTAINER_ID=$(docker-compose ps -q vulnerable-cron)
+
+# Check permissions of the insecure directory (should be drwxrwxrwx)
+docker exec $CONTAINER_ID ls -ld /opt/insecure_dir
+
+# Check permissions of the weak script (should be -rwxrwxrwx)
+docker exec $CONTAINER_ID ls -l /usr/local/bin/weak_script.sh
+
+# View the relative path misconfiguration
+docker exec $CONTAINER_ID cat /etc/cron.d/misconfig
+```
+
+### 2. Verify Detection with SCALIBR
+Run SCALIBR against the built image to confirm it detects the vulnerabilities:
+
+```bash
+# From the root of the osv-scalibr repository:
+./run_scalibr_on_image.sh cronjobprivesc:latest
+```
+
+The scan results (in `scalibr-result.textproto`) should contain findings matching:
+*   `execution from world-writable directory`
+*   `relative path`
+*   `is world-writable`
diff --git a/cronjob-privesc/configs/cron.d/misconfig b/cronjob-privesc/configs/cron.d/misconfig
new file mode 100644
index 00000000..02b819a1
--- /dev/null
+++ b/cronjob-privesc/configs/cron.d/misconfig
@@ -0,0 +1,3 @@
+# cron.d/misconfig
+# This job runs as root and uses a relative path, making it vulnerable to PATH manipulation.
+*/3 * * * * root relative_script.sh
diff --git a/cronjob-privesc/docker-compose.yml b/cronjob-privesc/docker-compose.yml
new file mode 100644
index 00000000..819fdd33
--- /dev/null
+++ b/cronjob-privesc/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '3.8'
+services:
+  vulnerable-cron:
+    image: cronjobprivesc:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
\ No newline at end of file
diff --git a/cronjob-privesc/scripts/insecure_script.sh b/cronjob-privesc/scripts/insecure_script.sh
new file mode 100644
index 00000000..b8eb5beb
--- /dev/null
+++ b/cronjob-privesc/scripts/insecure_script.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "Hello from insecure_script.sh!"
diff --git a/cronjob-privesc/scripts/weak_script.sh b/cronjob-privesc/scripts/weak_script.sh
new file mode 100644
index 00000000..2817da11
--- /dev/null
+++ b/cronjob-privesc/scripts/weak_script.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "Hello from weak_script.sh!"

From 94f473ebd1c24274c6e117216de81243306c8268 Mon Sep 17 00:00:00 2001
From: mzfr <github@mzfr.in>
Date: Wed, 21 Jan 2026 14:55:24 +0800
Subject: [PATCH 2/2] Added EOF

---
 cronjob-privesc/Dockerfile         | 2 +-
 cronjob-privesc/docker-compose.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cronjob-privesc/Dockerfile b/cronjob-privesc/Dockerfile
index cbe04118..6e356b42 100644
--- a/cronjob-privesc/Dockerfile
+++ b/cronjob-privesc/Dockerfile
@@ -27,4 +27,4 @@ RUN chmod 644 /etc/cron.d/misconfig
 RUN echo "*/2 * * * * root /usr/local/bin/weak_script.sh" >> /etc/crontab
 
 # Keep cron running in the foreground
-CMD cron -f
\ No newline at end of file
+CMD cron -f
diff --git a/cronjob-privesc/docker-compose.yml b/cronjob-privesc/docker-compose.yml
index 819fdd33..f3e6415a 100644
--- a/cronjob-privesc/docker-compose.yml
+++ b/cronjob-privesc/docker-compose.yml
@@ -4,4 +4,4 @@ services:
     image: cronjobprivesc:latest
     build:
       context: .
-      dockerfile: Dockerfile
\ No newline at end of file
+      dockerfile: Dockerfile