- config:
/etc/logrotate.conf- To exploit we need following:
- we need write permissions on the log file
- logrotate must run as a privileged user or root
- vulnerable versions: 3.8.6, 3.11.0, 3.15.0, 3.18.0
- Check
cat /var/lib/logrotate.statusto force rotate use-f - Use this exploit with payload as and check which option is used in logrotate.conf with
grep "create\|compress" /etc/logrotate.conf | grep -v "#"and run with./logrotten -p ./payload /tmp/tmp.logwhere tmp.log is a writable log file
- To exploit we need following: