CVE-2011-1548 in logrotate
Summary
by MITRE
The default configuration of logrotate on Debian GNU/Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate s lack of support for untrusted directories, as demonstrated by /var/log/postgresql/.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/21/2021
The vulnerability identified as CVE-2011-1548 represents a critical privilege escalation flaw in the default logrotate configuration on Debian GNU/Linux systems. This issue stems from the fundamental design assumption that logrotate operates in a trusted environment where it can safely process log files without considering potential malicious interference from local users. The flaw manifests when logrotate executes with root privileges to handle log files in directories that allow non-root users to write files, creating an exploitable condition that can be leveraged by attackers to gain elevated system privileges. The vulnerability specifically affects systems where logrotate processes files in directories such as /var/log/postgresql/ that permit user write access, demonstrating how seemingly innocuous configuration decisions can create significant security risks.
The technical implementation of this vulnerability relies on the absence of proper directory validation within logrotate's processing mechanism. When logrotate operates in a directory containing symbolic links or hard links that point to sensitive system files, a local attacker can manipulate the directory structure to redirect logrotate's processing to files they control. This creates a symlink attack scenario where the attacker places a symbolic link in the target directory pointing to a file they control, and when logrotate processes what it believes to be a legitimate log file, it actually processes the attacker-controlled file with root privileges. The flaw is particularly insidious because logrotate lacks support for untrusted directories, meaning it does not implement proper checks to determine whether the directories it processes contain potentially malicious symbolic links or hard links that could be exploited by attackers.
The operational impact of CVE-2011-1548 extends beyond simple privilege escalation to potentially enable full system compromise by malicious local users. Attackers who can write to the affected directories can exploit this vulnerability to modify critical system files, inject malicious code into log files, or manipulate the system in ways that persist across reboots. The vulnerability is particularly dangerous because it requires minimal privileges to exploit and can be leveraged by any local user with write access to the target directories. This makes it an attractive target for attackers who may have gained initial access through other means, as it provides a reliable method for escalating privileges and maintaining persistence on the compromised system. The attack vector is particularly relevant in multi-user environments where users may have legitimate write access to various log directories but should not be able to escalate their privileges through log rotation processes.
The vulnerability aligns with CWE-276, which addresses improper file permissions, and demonstrates how inadequate privilege management can create exploitable conditions in system utilities. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques, specifically leveraging insecure file permissions and process manipulation to gain elevated system access. The attack pattern follows the T1068 technique for local privilege escalation through exploitation of system utilities and configuration weaknesses. Mitigation strategies should focus on restricting write access to directories that logrotate processes, implementing proper directory validation checks within logrotate, and ensuring that system utilities do not operate with unnecessary elevated privileges when processing files in directories accessible to untrusted users. Organizations should also consider implementing proper file system permissions and access controls to prevent unauthorized modifications to log directories while maintaining legitimate log rotation functionality.