Re: sysklogd vulnerability (CVE-2014-3634)

[mancha <mancha1 () zoho com>]

On Fri, Oct 03, 2014 at 03:26:09PM +0400, Solar Designer wrote:
> What about the DoS impact claimed here, though? -
>
> http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
>
>  sysklogd ~~~~~~~~ A segfault seems possible in sysklogd if a negative
>  facility value (due to integer overrun in facility parsing) is used.
>  This could be used to carry out a remote DoS.
>
> If this can be used to crash syslogd, it's "real security impact",
> even if rather limited.
>
> Have you tried triggering this condition (getting syslogd to crash)?
>
> Alexander

The potential for large negative offsets due to integer overflows was
introduced to rsyslog via their first set of patches meant to fix
CVE-2014-3634. This has since been corrected and assigned CVE-2014-3683.  

In sysklogd's case, the priority is masked by (LOG_FACMASK|LOG_PRIMASK)
which means the possible range for priorities is 0-1023 (192-1023 being
invalid). So, that overflow vector doesn't exist in sysklogd (which
never adapted rsyslog's first fix). At most you get a facility of 127
while f_pmask has size 25, ergo OOB access.

I have done enough testing that I am relatively confident no security
impact exists other than the aforementioned message-processing issues
which would apply to the would-be attacker's own message. That said,
applying the fix eliminates all doubt.  

--mancha

Attachment: _bin
Description: