CVE-2011-1549 in logrotate
Summary
by MITRE
The default configuration of logrotate on Gentoo Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate s lack of support for untrusted directories, as demonstrated by directories under /var/log/ for packages.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/21/2021
The vulnerability described in CVE-2011-1549 represents a critical privilege escalation flaw in the logrotate utility configuration on Gentoo Linux systems. This issue stems from the default logrotate implementation that operates with root privileges while processing log files in directories where non-root users have write permissions. The fundamental technical flaw lies in logrotate's inability to properly validate or sanitize directory paths that contain untrusted user-accessible locations, creating a dangerous attack surface for local adversaries. The vulnerability specifically manifests when logrotate processes log files in directories under /var/log/ that are writable by non-root users, allowing attackers to manipulate the file system structure during the log rotation process.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential data manipulation and system compromise. Attackers can leverage symbolic link attacks by creating malicious symlinks in vulnerable directories, causing logrotate to write log data to arbitrary locations on the filesystem. Hard link attacks represent another dimension of exploitation where attackers can manipulate file ownership and permissions through the logrotate process. This vulnerability directly maps to CWE-276, which addresses improper privileges for a resource, and aligns with ATT&CK technique T1068, which covers local privilege escalation through improper file permissions. The attack vector specifically targets the trust model assumptions within logrotate's directory traversal logic, where the utility assumes all directories in its processing path are safe and controlled by the system administrator.
The exploitation of this vulnerability demonstrates a classic case of inadequate input validation and privilege separation in system utilities. When logrotate executes with root privileges, it processes files in potentially compromised directories without implementing proper checks for symbolic links or hard links that could redirect file operations to unauthorized locations. This flaw enables attackers to escalate privileges from regular user accounts to root access by manipulating the log rotation process itself, as the utility's default configuration does not implement proper sandboxing or directory validation mechanisms. The vulnerability affects systems where logrotate is configured to process logs in directories that are accessible for writing by non-root users, which is common in multi-user environments where package-specific log directories are created with permissive permissions. Organizations should immediately implement mitigations including restricting write access to log directories, configuring logrotate with explicit directory restrictions, and implementing monitoring for suspicious log rotation activities. The flaw underscores the importance of privilege separation principles and demonstrates how seemingly benign system utilities can become attack vectors when proper security controls are not implemented.