Vulnerability Development mailing list archives

Re: Possible syslogd DoS ?

From: "Crist J. Clark" <cristjc () earthlink net>
Date: Wed, 3 Oct 2001 23:10:33 -0700

On Wed, Oct 03, 2001 at 08:09:58PM +0200, Petr Baudis wrote:

Hello,
  I just recently came on a thought (thanks to Marek Jaros) of possible
DoS of syslogd. It uses /dev/log for receiving log messages, which has
mode 0666 on most linuxes. It should be ok, as many non-root applications
should be allowed to log things etc.


[snip]

  Discussion? Something i didn't take into account? Possible solutions?


To paraphrase an old quote, syslog is basically an unauthenticated
disk filling utility.

  #!/bin/sh

  while :; do

    logger "This is message one."
    logger "This is message two."

  done

On a system with untrusted users, you may need to do some special
configuration (change permissions on the log socket, make sure the
filling the partitions syslog writes to are not fatal, etc.).

This is a well known vulnerability of the syslog system, but is often
overlooked due to greater concerns over remote disk filling
possibilities.
-- 
Crist J. Clark                           cjclark () alum mit edu
                                         cjclark () jhu edu
                                         cjc () freebsd org

Current thread:

Possible syslogd DoS ? Petr Baudis (Oct 03)
- Re: Possible syslogd DoS ? Crist J. Clark (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
- Re: Possible syslogd DoS ? VeNoMouS (Oct 04)
  - Re: Possible syslogd DoS ? Petr Baudis (Oct 04)
  - Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
    - Re: Possible syslogd DoS ? H D Moore (Oct 05)
    - Re: Possible syslogd DoS ? Tim Walberg (Oct 05)
    - Re: Possible syslogd DoS ? Petr Baudis (Oct 05)
    - AnalogX Proxy SMTP server relay Claymore (Oct 05)
    - Re: AnalogX Proxy SMTP server relay Joe Stewart (Oct 06)
- Re: Possible syslogd DoS ? Pavel Kankovsky (Oct 04)

(Thread continues...)