Bugtraq mailing list archives
Re: Remotely kill Solaris syslogd
From: reynhout () QUESERA COM (Andrew Reynhout)
Date: Tue, 21 Oct 1997 12:17:38 -0400
We've run into the same issue, and Sun has known about it since April. There is a patch, 103738-04, which fixes this (and other) problems. It is **NOT** a recommended or a security patch, nor is it available from the public area of sunsolve. It clearly should be. There are many installations where syslogd is a critical part of the security/monitoring infrastructure. There are even some where REMOTE syslogging is critical. It is a terrible choice, but many times the only one available. I'd recommend using Paul Vixie's syslogd, or at least filtering 514/udp. It won't solve syslogd's spoofing problems, but at least messages won't disappear. (From the README.103738-04:)
Patch-ID# 103738-04 Keywords: syslogd core lookup EUC ja 8-bit limit Synopsis: SunOS 5.5.1: /usr/sbin/syslogd patch Date: Oct/03/97 Xref: This patch available for x86 as patch 103739 ... Problem Description: ... (from 103738-01) 1249320 *syslogd* syslog is dying randomly in Solaris 2.5, leaves core files.
Andrew lb - STAFF writes:
It seems that I've stumbled upon a bug which must have been discovered but never disclosed, I find it hard to believe noone has found this. After searching the bugtraq archives and the publicly available patches from Sun I am still under the impression that this hasn't been released until now. When Solaris syslogd receives an external message it attempts to do a DNS lookup on the source IP. Many times, if this IP doesn't match a DNS record then syslogd will crash with a Seg Fault. I have not had time to diagnose completely how dangerous this is, as I didn't feel like spending time debugging DNS packets, but at the very least it will disable logging on the target machine. It also turns out that depending on the source IP, syslogd will either Seg Fault or Bus Error which leads me to believe this could be most harmful. This has been tested on Solaris 2.5 and 2.5.1 for both Sparc and x86 with full patches. Solaris 2.6 Sparc does not appear to be vulnerable. The only solution at the moment (because I know of no way to disable remote logging under Solaris) is to filter off udp port 514 whenever possible and perhaps to respawn syslogd from inittab. If this is an old bug, well the patch shoulda been included in Sun's recommended security patches. If not, as it says, your milage may vary. (Is there anyone left who isn't a security consultant?)
Current thread:
- Remotely kill Solaris syslogd lb - STAFF (Oct 21)
- Re: Remotely kill Solaris syslogd Andrew Reynhout (Oct 21)
- Oops: Re: Remotely kill Solaris syslogd Andrew Reynhout (Oct 21)
- Responses to syslogd killing lb (Oct 21)
- Re: Responses to syslogd killing Zack Weinberg (Oct 21)
- <Possible follow-ups>
- Re: remotely kill solaris syslogd Chris Wilson (Oct 21)
- Re: remotely kill solaris syslogd Paul Tatarsky (Oct 23)
- IRIX /var/inst/patchbase Paul Tatarsky (Oct 23)
- Re: IRIX /var/inst/patchbase Alain Renaud (Oct 25)
- KSR[T] Advisory #004: printfilter / groff / lpd KSR[T] (Oct 25)