Bugtraq mailing list archives
Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
From: elfchief () lupine org (Jay 'Whip' Grizzard)
Date: Tue, 29 Aug 1995 17:22:44 -0700
A quick look at the FreeBSD-current syslog.c and the latest sendmail source suggests that a) turning off mail.debug logging in /etc/syslog.conf will protect you (from this particular exploit) b) sendmail 8.6.6 and later take care not to log long strings and may be safe (from this particular exploit). Can anyone confirm or refute?
The problem with this bug is not, not, NOT a bug in syslogd -- The bug is in the syslog() system call, in the C libraries on your machine. If someone gets into your machine, it's gonna happen before syslogd gets anywhere near the data in question. The problem is that the syslog() library call (in the C libraries, be they dynamically or statically linked) doesn't check the size of the string it's getting ready to write into a buffer, even though you can call syslog() with a string of any length. Since there's no bounds checking, you can call syslog() with a very long string, and write right off the end of the string into the stack. Since you're still running in the context of the code that called syslog() (because the C library acts just like an extention to the program), you can force arbitrary things to happen (by writing the stack in certain ways) under the that UID -- In the example given by 8lgm, that UID is root, since sendmail runs as root. Sendmail is almost certainly NOT the only vurnerable program -- Indeed, any program that a) Allows a user to manipulate input in a way that allows user input to get sent to syslog(), and b) Doesn't check the length of what it sends to syslog() is vurnerable, on systems that have a buggy syslog() call. The solution, I think, is to fix syslog() to accept arbitrary-length strings -- Indeed, the manpage mentions no size limitation that I can see, at least not on SunOS. This is, indeed, what I plan on doing when I have some free time later tonight. Pondering on possible vurnerable programs: Certainly the 'talkd' programs that record 'flash attempts' and whatnot, with destination usernames and whatnot... At least one version of FTP that I've seen that logs commands into syslog is probably vurnerable, versions of finger that do logging of fingerer name (I know there's at least one). I wonder if DNS is capable of sending binary data (I've never really looked)... Immagine a program (and there's LOTS of them) that uses syslog() to log the hostname of an incoming connection.... Obscure, but something to think about. When the f*** are people gonna start bounds-checking their code? You'd think folks would pay attention to thinks like the '88 internet worm.. More than 5 years later, we're STILL laying down code with the exact same bug (only in different ways). Amazing. [#rant off] -WW
Current thread:
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Tim Rylance (Aug 29)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Jay 'Whip' Grizzard (Aug 29)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Christian Wettergren (Aug 29)
- <Possible follow-ups>
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 der Mouse (Aug 29)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Panzer Boy (Aug 31)