Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Remotely kill Solaris syslogd

From: reynhout () QUESERA COM (Andrew Reynhout)
Date: Tue, 21 Oct 1997 12:17:38 -0400

We've run into the same issue, and Sun has known about it since April.
There is a patch, 103738-04, which fixes this (and other) problems.
It is **NOT** a recommended or a security patch, nor is it available
from the public area of sunsolve.  It clearly should be.

There are many installations where syslogd is a critical part of the
security/monitoring infrastructure.  There are even some where REMOTE
syslogging is critical.  It is a terrible choice, but many times the
only one available.  I'd recommend using Paul Vixie's syslogd, or at
least filtering 514/udp.  It won't solve syslogd's spoofing problems,
but at least messages won't disappear.

(From the README.103738-04:)

Patch-ID# 103738-04
Keywords: syslogd core lookup EUC ja 8-bit limit
Synopsis: SunOS 5.5.1: /usr/sbin/syslogd patch
Date: Oct/03/97
Xref: This patch available for x86 as patch 103739
...
Problem Description:
...
(from 103738-01)
1249320 *syslogd* syslog is dying randomly in Solaris 2.5, leaves core files.


Andrew

lb - STAFF writes:

  It seems that I've stumbled upon a bug which must have been discovered
but never disclosed, I find it hard to believe noone has found this.  After
searching the bugtraq archives and the publicly available patches from
Sun I am still under the impression that this hasn't been released until
now.

  When Solaris syslogd receives an external message it attempts to do
a DNS lookup on the source IP.  Many times, if this IP doesn't match a
DNS record then syslogd will crash with a Seg Fault.  I have not had
time to diagnose completely how dangerous this is, as I didn't feel like
spending time debugging DNS packets, but at the very least it will disable
logging on the target machine.  It also turns out that depending on the
source IP, syslogd will either Seg Fault or Bus Error which leads me
to believe this could be most harmful.

  This has been tested on Solaris 2.5 and 2.5.1 for both Sparc and x86 with
full patches.  Solaris 2.6 Sparc does not appear to be vulnerable.

  The only solution at the moment (because I know of no way to disable
remote logging under Solaris) is to filter off udp port 514 whenever
possible and perhaps to respawn syslogd from inittab.

  If this is an old bug, well the patch shoulda been included in Sun's
recommended security patches.  If not, as it says, your milage may vary.

  (Is there anyone left who isn't a security consultant?)
Previous By Date Next
Previous By Thread Next

Current thread: