Search

Penetration
Testing

AIT-SA-20191112-01

FreeRadius: Privilege Escalation via Logrotate

Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

SUMMARY

VULNERABILITY DESCRIPTION

The ownership of the logdirectory “radacct” belongs to user “radiusd”. User “radiusd” can elevate the privileges to “root” because of an unsafe interaction with logrotate. User “radiusd” owns the log directory /var/log/radius/radacct:

ERROR: Content Element with uid “46226” and type “ar_codeelem” has no rendering definition!

Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:

ERROR: Content Element with uid “46222” and type “ar_codeelem” has no rendering definition!

Since logrotate is prone to a race-condition (see https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it is possible for user “radiusd” to replace the directory /var/log/radius/radacct/logdir with a symbolic link to any directory (for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to “radiusd.radiusd”. An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.

PROOF OF CONCEPT

The following example illustrates how an attacker who already gained a shell as user “radiusd”, can elevate his privileges to “root”. After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate.  If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner “radiusd”. As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:

ERROR: Content Element with uid “46218” and type “ar_codeelem” has no rendering definition!

VULNERABLE VERSIONS

All versions including 3.0.19

TESTED VERSIONS

Name : freeradius
Architecture: x86_64
Version: 3.0.13
Release: 9.el7_5

IMPACT

An attacker who already achieved a valid shell as user “radiusd” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.

MITIGATION

Add “su radiusd:radiusd” to all log sections in /etc/logrotate.d/radiusd. By keeping SELinux in “Enforcing” mode, the “radiusd” user will be limited in the directories he can write to.

REFERENCES

VENDOR CONTACT TIMELINE

Notes

This CVE is disputed because the vendor stated that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user “radiusd”.  CVE’s are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug.

ADVISORY URL

WOLFGANG HOTWAGNER

Research Engineer /
Security & Communication Technologies