CVE-2024-45339 – A Vulnerability in Default Log Writable Directories Leading to a Privileged Process Overwriting Sensitive Files

A recent vulnerability with the identifier CVE-2024-45339 has been discovered and reported in certain logging libraries, specifically when logs are written to a widely-writable directory (by default). This vulnerability can allow an unprivileged attacker to predict the log file path of a privileged process, pre-create a symbolic link to a sensitive file in its place, and cause the privileged process to follow the planted symlink, ultimately overwriting the sensitive file. In this post, we will explore the details of this exploit, the code snippet demonstrating its usage, and the links to the original references related to the vulnerability.

Exploit details

The core of this exploit revolves around the attacker's ability to predict the log file path of a privileged process. This is typically possible when a process writes logs to a widely-writable directory by default. When an attacker successfully predicts the log file path, they can then create a symbolic link within that path to the target sensitive file.

When the process with elevated privileges runs, it automatically follows the symbolic link provided by the attacker. Consequently, this causes the privileged process to overwrite the sensitive file unintentionally.

Here's an example of how the exploit works

# Attacker's terminal
$ ln -s /etc/shadow /tmp/important.log

# Privileged process
$ process_with_elevated_privileges --log /tmp/important.log

In this example, the attacker first creates a symbolic link from /tmp/important.log to /etc/shadow. When the process with elevated privileges is run, it logs information to /tmp/important.log. However, since the symbolic link links back to the sensitive /etc/shadow file, the process's log information overwrites that file.

Fix:

To fix this vulnerability, the library glog has been updated to cause the program to exit with status code 2 when it discovers that the configured log file already exists at the location. This prevents the exploitation of the vulnerability by ensuring that the process does not follow the false symbolic link and overwrite sensitive files.

Original references

1. glog's patch addressing the vulnerability
2. Details of CVE-2024-45339 on the National Vulnerability Database

In summary, CVE-2024-45339 is a significant vulnerability that can potentially lead to the accidental overwrite of sensitive files by exploiting the default behavior of widely-writable directories storing log files. This is an important reminder for both developers and system administrators to periodically review their logging configurations in an effort to prevent and address similar vulnerabilities, keeping sensitive data protected.

Timeline

Published on: 01/28/2025 02:15:28 UTC
Last modified on: 02/17/2025 11:15:08 UTC