Bugtraq mailing list archives

Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

From: pat () WOLFE net (Pat The Friendly RedNeck)
Date: Fri, 22 Sep 1995 10:43:50 -0700

On Sep 19,  4:33pm, Sten Gunterberg wrote:


(Hmm.  Howcum my mailer missed the attrib? Gotta fix that or the header
somehow got bolluxed - anyway)...

Casper apparantly sez:

That's an error in the bug report.  Since 4.1.4 was out long before
the scare, the bug does exist in 4.1.4.


Not surprising - and it probably is in about everything on any platform
that uses syslog(3) and lacks a bounds-checking sprintf()...  I wonder
about the logger(1) command - is there any bounds checking in it, or
can one stomp all over the stack and cause syslogd to core... stopping
any future logging?

I wonder if there is any element of protection by having the sendmail
daemon running only on machines that have no user accounts (all passwd
entries have '*' for the passwd field, except for systems staff, of course)?
All other machines having sendmail NOT running as a daemon, and the SUID
bit turned off (because it doesn't do local delivery)...

The simple facts are:
        - all sendmails are vulnerable
        - it's a syslog() problem, not really a sendmail problem.


I suspect that when the patch is out, it will be a libc patch, or at
least a new module to replace one in libc, not a patch to sendmail,
syslogd, or other utils...  Thats how I am thinking of fixing it, if
the patch is not forthcoming soon... replacing the syslog.o module in
libc.a and libc.so.??? (so statically linked stuff subsequently built
won't be vulnerable, too)?  I take it that Suns syslog() function doesn't
do anything undocumented and wierd...

I am understanding this bug correctly, right?

While syslog()'s output can be limited in length by carefully specifying
the format, some systems don't support more than 128 bytes of messages.

[ ... ]

                - bug for SunOS 4 (as listed above)
                - bug for Solaris libc (as listed above)
                - bug for Solaris 2.x /usr/4lib/libc.so.?.*

Casper



--
#include <std.disclaimer>    Pat Myrto (pat () Wolfe NET)       Seattle WA
A sysadmin's life is a sorry one.  The only advantage he has over Emergency
Room doctors is that malpractice suits are rare.  On the other hand, ER
doctors never have to deal with patients installing new versions of their
own innards!   -Michael O'Brien

Current thread:

Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995, (continued)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Goetz von Escher (Sep 18)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Doug Hughes (Sep 18)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Scott Barman (Sep 18)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Karl Strickland (Sep 18)
  - Netscape SSL implementation cracked! (fwd) sameer (Sep 18)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Paul Ashton (Sep 18)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 andy () btc uwe ac uk (Sep 19)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Goetz von Escher (Sep 19)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Ian MacPhedran (Sep 20)
  - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Casper Dik (Sep 21)
    - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Pat The Friendly RedNeck (Sep 22)
    - Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Casper Dik (Sep 25)
    - Random seed (fwd) Darrell Fuhriman (Sep 25)
  - Ray Cromwell: YET ANOTHER BAD NETSCAPE HOLE! Perry E. Metzger (Sep 22)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Sten Gunterberg (Sep 21)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Jim Shankland (Sep 22)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 andy () BTC UWE AC UK (Sep 25)