RE: Possible syslogd DoS ?

[Brian McKinney <rizzdogg () noc theworks com>]

        I could be missing something here but doesn't newsyslog solve this
problem by rotating logs based on size, date or both?  I'm not sure if
newsyslog is packaged with the syslog daemon or by the OS. I know for sure
it is included with Solaris 7, FreeBSD and OpenBSD.  newsyslog is called by
cron by default every minute on OpenBSD 2.8 so you might want to decrease
the wait time depending on how fast your syslog daemon can write to the
disk.  I haven't done any testing myself but it sounds like if newsyslog can
keep up before the disk is filled you shouldn't have a problem since
newsyslog will over write previously rotated log files.  This could be
really trivial to defeat but thought its worth a mention.

Brian


-----Original Message-----
From: Petr Baudis [mailto:pasky () pasky ji cz]
Sent: Wednesday, October 03, 2001 11:10 AM
To: vuln-dev () securityfocus com
Subject: Possible syslogd DoS ?


Hello,
  I just recently came on a thought (thanks to Marek Jaros) of possible
DoS of syslogd. It uses /dev/log for receiving log messages, which has
mode 0666 on most linuxes. It should be ok, as many non-root applications
should be allowed to log things etc.
  But imagine that you will send a lot of very long messages there,
different
everytime in order not to get stripped into kinda 'message repeated x
times'.
In this way, you can imho flood syslogd successfully, possibly filling whole
partition where /var/log resides, regardless to your quota settings on
the machine!
  Then, if /var/log is not on separate partition, the whole system can get
into serious problems, and especially, further events won't be obviously
logged, so you can do evil things there happily and nobody will know about
it.
  Discussion? Something i didn't take into account? Possible solutions?

-- 

                                Petr "Pasky" Baudis
.                                                                       .
        n = ((n >>  1) & 0x55555555) | ((n <<  1) & 0xaaaaaaaa);
        n = ((n >>  2) & 0x33333333) | ((n <<  2) & 0xcccccccc);
        n = ((n >>  4) & 0x0f0f0f0f) | ((n <<  4) & 0xf0f0f0f0);
        n = ((n >>  8) & 0x00ff00ff) | ((n <<  8) & 0xff00ff00);
        n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000);
                -- C code which reverses the bits in a word.
.                                                                       .
My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M-
!V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y?
------END GEEK CODE BLOCK------