Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

[elfchief () lupine org (Jay 'Whip' Grizzard)]

> A quick look at the FreeBSD-current syslog.c and the latest sendmail
> source suggests that
>
>  a) turning off mail.debug logging in /etc/syslog.conf will protect you
>     (from this particular exploit)
>
>  b) sendmail 8.6.6 and later take care not to log long strings and
>     may be safe (from this particular exploit).
>
> Can anyone confirm or refute?

The problem with this bug is not, not, NOT a bug in syslogd -- The bug
is in the syslog() system call, in the C libraries on your machine. If someone
gets into your machine, it's gonna happen before syslogd gets anywhere
near the data in question.

The problem is that the syslog() library call (in the C libraries, be
they dynamically or statically linked) doesn't check the size of the
string it's getting ready to write into a buffer, even though you can
call syslog() with a string of any length. Since there's no bounds
checking, you can call syslog() with a very long string, and write right
off the end of the string into the stack.

Since you're still running in the context of the code that called syslog()
(because the C library acts just like an extention to the program), you can
force arbitrary things to happen (by writing the stack in certain ways) under
the that UID -- In the example given by 8lgm, that UID is root, since
sendmail runs as root.

Sendmail is almost certainly NOT the only vurnerable program -- Indeed,
any program that a) Allows a user to manipulate input in a way that allows
user input to get sent to syslog(), and b) Doesn't check the length of
what it sends to syslog() is vurnerable, on systems that have a buggy
syslog() call.

The solution, I think, is to fix syslog() to accept arbitrary-length
strings -- Indeed, the manpage mentions no size limitation that I can
see, at least not on SunOS. This is, indeed, what I plan on doing when
I have some free time later tonight.

Pondering on possible vurnerable programs: Certainly the 'talkd' programs
that record 'flash attempts' and whatnot, with destination usernames and
whatnot... At least one version of FTP that I've seen that logs commands
into syslog is probably vurnerable, versions of finger that do logging
of fingerer name (I know there's at least one).

I wonder if DNS is capable of sending binary data (I've never really
looked)... Immagine a program (and there's LOTS of them) that uses syslog()
to log the hostname of an incoming connection....

Obscure, but something to think about.

When the f*** are people gonna start bounds-checking their code? You'd
think folks would pay attention to thinks like the '88 internet worm..
More than 5 years later, we're STILL laying down code with the exact
same bug (only in different ways).

Amazing.

[#rant off]

                                                                        -WW