![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 22 Nov 2000 18:06:29 +0100
From: Balazs Scheidler <bazsi@BALABIT.HU>
Subject: DoS possibility in syslog-ng
To: BUGTRAQ@SECURITYFOCUS.COM
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
BalaBit security advisory
Advisory ID: BB-2000/01
Package: syslog-ng
Versions affected: versions prior to and including 1.4.8
Problem type: remote DoS attack
Date: 2000-11-22
1) Background
syslog-ng is a portable syslog implementation. Its highlights include regexp
based log selection, TCP transport and more. For more information:
http://www.balabit.hu/products/syslog-ng/
2) Problem description
When syslog-ng parses log messages a variable named "left" is used to store
the remaining length of the log message. The priority part in the message
should look like this:
<6>
When the line ends without the closing '>' this "left" variable becomes -1
due a to a bug.
The remaining part of the message parsing routine checks if there's any
characters left using the condition: left != 0, since -1 is not 0, this
condition evaluates to true.
Syslog-ng versions after 1.4.7 filters out \r and \n characters from log
messages and replaces them with spaces to avoid cluttering logfiles. Due to
a problem in the parsing of log messages, this character change may access
unaccessible memory region. This causes a segmentation fault. So sending a
"<6", terminated with a newline to one of the input channels causes a
SIGSEGV.
Prior to 1.4.7, this character change was not implemented, so mounting a DoS
attack is not so trivial, but is still possible. (it's left to the reader as
an exercise)
It is believed that no other exploitation is possible.
3) Impact
Sending a carefully crafted syslog packet may cause syslog-ng to exit with a
Segmentation Fault.
4) Solution
Upgrade syslog-ng to 1.4.9, which is a security upgrade, and changes nothing
compared to 1.4.8 or apply this patch:
diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
--- syslog-ng-1.4.8/src/log.c Tue Oct 10 15:05:52 2000
+++ syslog-ng-1.4.9/src/log.c Wed Nov 22 16:45:11 2000
@@ -67,8 +67,10 @@
left--;
}
lm->pri = pri;
- src++;
- left--;
+ if (left) {
+ src++;
+ left--;
+ }
}
else {
lm->pri = LOG_USER | LOG_NOTICE;
--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBOhv9FcGXIGCa+NCpAQG6uggApyBPwaxSJ2rkKzjG+lrhGUnJPQaa8RuN
YBwVDuSHoY9GxB1AdGwEI00ubs9LahfrcYXO8HnaDxmoabpS1NjB5Xye4JVCgsAU
6+wUs1LE/oS9mHC44ysnmw/WCs1lAAWyvY6QmvV94MjJJv4sOpEF45Bo7+7B1B3C
ZodsRuG+7V8B6BfX3fmuJic9/SziRcuoU4l3LCGYWR8t0ADy4qDXKa82YUE2CTSK
FBLDy9SQbw9Wv8dXJ/u3S0vF6ELPT5XebCY4dFsEwadj0QJCgJj5iuJdl5+rTFuz
WVGHCZdDxm/7ea9/bg4ei5f8txpgyShIWqf1fc23iepNJkUcw9mMdw=
=OAJw
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtfppv--