4603054 1999-12-20  17:20  /65 rader/ Postmaster
Mottagare: Bugtraq (import) <8957>
Ärende: More on Red Hat 6.1 sysklogd
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <385D1E3A.69C49DC9@roaringpenguin.com>
Date:         Sun, 19 Dec 1999 13:04:42 -0500
Reply-To: dfs@ROARINGPENGUIN.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "David F. Skoll" <dfs@ROARINGPENGUIN.COM>
Organization: Roaring Penguin Software Inc.
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Red Hat has a security advisory at
http://www.redhat.com/support/errata/RHSA1999055-01.html detailing a
DoS attack against syslogd.

There is an even more compelling reason to upgrade:  After my logs
were rotated, I noticed that the background chatter of script kiddies
probing my firewall ceased.  It turns out that when syslogd is sent a
HUP signal, it closes and recreates the /dev/log socket.  If this is
a stream socket, then klogd (the daemon responsible for forwaring
kernel log messages) fails.

Basically, after your logs are rotated, all kernel log messages are
lost.  Update your syslogd now.

This is an strace of the problem:

$ strace -p 22240   # I'm tracing the "klogd" process

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571294])        = 945571294

# klogd writes it to syslog
write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143

# Now send syslogd a HUP signal

$ kill -1 19141

# And continue with the strace

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571432])       = 945571432

# But the write fails and the log message is lost!
write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET
(Connection reset by peer)

The new syslogd uses a datagram socket, I think, so doesn't suffer
from this problem.

--
David F. Skoll                 | Roaring Penguin Software Inc.
http://www.roaringpenguin.com  | Linux and UNIX Specialists
(4603054) ------------------------------------------(Ombruten)