BSidesVienna 0x7E6

Logrotten - "It's not a bug"
11-19, 11:05–11:35 (Europe/Vienna), Urania Dachsaal

Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. This talk shows how easy it is to use logrotate in a dangerous way and illustrates the impact of this vulnerability. Finally the current state of logrotate will be discussed.

Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.
Logrotate supports different methods for creating new files. For example the directive “copy” makes a copy of the logfile and “create” creates a new empty logfile after rotating. If someone exchanges the log directory with a symbolic link just before creating the new logfile, logrotate will put the new file into a different directory. Such a scenario can be exploited if logrotate runs as user root and a low privileged user is in control of the path to the log directory. If this user exchanges the log directory with a symbolic link at the right time, logrotate will write the new file into the linked directory. After that the permissions of the created file will be adjusted and the attacker might have write access to that file.
This talk explains the various scenarios where logrotate can be configured in dangerous ways. It will be explained which software packages that were prone to this kind of attack were found. Finally the current state of logrotate will be discussed.

See also: Slides of the logrotten presentation

Wolfgang Hotwagner is a Research-Engineer at the Cyber Security Research Team of the Austrian Institute of Technology(AIT), where he works on various topics like "Pentesting", "Log File Anomaly Detection" and "Cyberrange". He is a linux enthusiast and practices it-security in his spare time.