5770113 2000-11-22 18:06 +0100 /71 rader/ Balazs Scheidler <bazsi@BALABIT.HU>
Importerad: 2000-11-24 02:32 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bazsi@BALABIT.HU
Mottagare: Bugtraq (import) <13866>
Ärende: DoS possibility in syslog-ng
------------------------------------------------------------
BalaBit security advisory
Advisory ID: BB-2000/01
Package: syslog-ng
Versions affected: versions prior to and including 1.4.8
Problem type: remote DoS attack
Date: 2000-11-22
1) Background
syslog-ng is a portable syslog implementation. Its highlights include
regexp based log selection, TCP transport and more. For more
information: http://www.balabit.hu/products/syslog-ng/
2) Problem description
When syslog-ng parses log messages a variable named "left" is used to
store the remaining length of the log message. The priority part in
the message should look like this:
<6>
When the line ends without the closing '>' this "left" variable
becomes -1 due a to a bug.
The remaining part of the message parsing routine checks if there's
any characters left using the condition: left != 0, since -1 is not
0, this condition evaluates to true.
Syslog-ng versions after 1.4.7 filters out \r and \n characters from
log messages and replaces them with spaces to avoid cluttering
logfiles. Due to a problem in the parsing of log messages, this
character change may access unaccessible memory region. This causes a
segmentation fault. So sending a "<6", terminated with a newline to
one of the input channels causes a SIGSEGV.
Prior to 1.4.7, this character change was not implemented, so
mounting a DoS attack is not so trivial, but is still possible. (it's
left to the reader as an exercise)
It is believed that no other exploitation is possible.
3) Impact
Sending a carefully crafted syslog packet may cause syslog-ng to exit
with a Segmentation Fault.
4) Solution
Upgrade syslog-ng to 1.4.9, which is a security upgrade, and changes
nothing compared to 1.4.8 or apply this patch:
diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
--- syslog-ng-1.4.8/src/log.c Tue Oct 10 15:05:52 2000
+++ syslog-ng-1.4.9/src/log.c Wed Nov 22 16:45:11 2000
@@ -67,8 +67,10 @@
left--;
}
lm->pri = pri;
- src++;
- left--;
+ if (left) {
+ src++;
+ left--;
+ }
}
else {
lm->pri = LOG_USER | LOG_NOTICE;
(5770113) --------------------------------(Ombruten)
Bilaga (application/pgp-signature) i text 5770114
5770114 2000-11-22 18:06 +0100 /14 rader/ Balazs Scheidler <bazsi@BALABIT.HU>
Importerad: 2000-11-24 02:32 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bazsi@BALABIT.HU
Mottagare: Bugtraq (import) <13867>
Bilaga (text/plain) till text 5770113
Ärende: Bilaga till: DoS possibility in syslog-ng
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBOhv9FcGXIGCa+NCpAQG6uggApyBPwaxSJ2rkKzjG+lrhGUnJPQaa8RuN
YBwVDuSHoY9GxB1AdGwEI00ubs9LahfrcYXO8HnaDxmoabpS1NjB5Xye4JVCgsAU
6+wUs1LE/oS9mHC44ysnmw/WCs1lAAWyvY6QmvV94MjJJv4sOpEF45Bo7+7B1B3C
ZodsRuG+7V8B6BfX3fmuJic9/SziRcuoU4l3LCGYWR8t0ADy4qDXKa82YUE2CTSK
FBLDy9SQbw9Wv8dXJ/u3S0vF6ELPT5XebCY4dFsEwadj0QJCgJj5iuJdl5+rTFuz
WVGHCZdDxm/7ea9/bg4ei5f8txpgyShIWqf1fc23iepNJkUcw9mMdw==
=OAJw
-----END PGP SIGNATURE-----
(5770114) ------------------------------------------