Vulnerability Development mailing list archives
RE: Possible syslogd DoS ?
From: Brian McKinney <rizzdogg () noc theworks com>
Date: Thu, 4 Oct 2001 10:44:21 -0700
I could be missing something here but doesn't newsyslog solve this problem by rotating logs based on size, date or both? I'm not sure if newsyslog is packaged with the syslog daemon or by the OS. I know for sure it is included with Solaris 7, FreeBSD and OpenBSD. newsyslog is called by cron by default every minute on OpenBSD 2.8 so you might want to decrease the wait time depending on how fast your syslog daemon can write to the disk. I haven't done any testing myself but it sounds like if newsyslog can keep up before the disk is filled you shouldn't have a problem since newsyslog will over write previously rotated log files. This could be really trivial to defeat but thought its worth a mention. Brian -----Original Message----- From: Petr Baudis [mailto:pasky () pasky ji cz] Sent: Wednesday, October 03, 2001 11:10 AM To: vuln-dev () securityfocus com Subject: Possible syslogd DoS ? Hello, I just recently came on a thought (thanks to Marek Jaros) of possible DoS of syslogd. It uses /dev/log for receiving log messages, which has mode 0666 on most linuxes. It should be ok, as many non-root applications should be allowed to log things etc. But imagine that you will send a lot of very long messages there, different everytime in order not to get stripped into kinda 'message repeated x times'. In this way, you can imho flood syslogd successfully, possibly filling whole partition where /var/log resides, regardless to your quota settings on the machine! Then, if /var/log is not on separate partition, the whole system can get into serious problems, and especially, further events won't be obviously logged, so you can do evil things there happily and nobody will know about it. Discussion? Something i didn't take into account? Possible solutions? -- Petr "Pasky" Baudis . . n = ((n >> 1) & 0x55555555) | ((n << 1) & 0xaaaaaaaa); n = ((n >> 2) & 0x33333333) | ((n << 2) & 0xcccccccc); n = ((n >> 4) & 0x0f0f0f0f) | ((n << 4) & 0xf0f0f0f0); n = ((n >> 8) & 0x00ff00ff) | ((n << 8) & 0xff00ff00); n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000); -- C code which reverses the bits in a word. . . My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M- !V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y? ------END GEEK CODE BLOCK------
Current thread:
- Re: Possible syslogd DoS ?, (continued)
- Re: Possible syslogd DoS ? H D Moore (Oct 05)
- Re: Possible syslogd DoS ? Tim Walberg (Oct 05)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
- AnalogX Proxy SMTP server relay Claymore (Oct 05)
- Re: AnalogX Proxy SMTP server relay Joe Stewart (Oct 06)
- Re: Possible syslogd DoS ? Robert van der Meulen (Oct 04)
- Re: Possible syslogd DoS ? White Vampire (Oct 04)
- Re: Possible syslogd DoS ? Pavel Kankovsky (Oct 07)
- Re: Possible syslogd DoS ? Thiago Conde Figueiro (Oct 04)
- Re: Possible syslogd DoS ? Petr Baudis (Oct 04)