Vulnerability Development mailing list archives
Re: Possible syslogd DoS ?
From: "Crist J. Clark" <cristjc () earthlink net>
Date: Wed, 3 Oct 2001 23:10:33 -0700
On Wed, Oct 03, 2001 at 08:09:58PM +0200, Petr Baudis wrote:
Hello, I just recently came on a thought (thanks to Marek Jaros) of possible DoS of syslogd. It uses /dev/log for receiving log messages, which has mode 0666 on most linuxes. It should be ok, as many non-root applications should be allowed to log things etc.
[snip]
Discussion? Something i didn't take into account? Possible solutions?
To paraphrase an old quote, syslog is basically an unauthenticated disk filling utility. #!/bin/sh while :; do logger "This is message one." logger "This is message two." done On a system with untrusted users, you may need to do some special configuration (change permissions on the log socket, make sure the filling the partitions syslog writes to are not fatal, etc.). This is a well known vulnerability of the syslog system, but is often overlooked due to greater concerns over remote disk filling possibilities. -- Crist J. Clark cjclark () alum mit edu cjclark () jhu edu cjc () freebsd org
Current thread:
- Possible syslogd DoS ? Petr Baudis (Oct 03)
- Re: Possible syslogd DoS ? Crist J. Clark (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- Re: Possible syslogd DoS ? H D Moore (Oct 05)
- Re: Possible syslogd DoS ? Tim Walberg (Oct 05)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- AnalogX Proxy SMTP server relay Claymore (Oct 05)
- Re: AnalogX Proxy SMTP server relay Joe Stewart (Oct 06)