Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

[tfs () vampire science gmu edu (Tim Scanlon)]

Various people have been sumarizing potential "other" programs
that use syslog & might be vulnerable, I'd like to point
out that there's a whole lot of programs out there that
have debug switches, addtional logging switches, & various
flavors that use syslog as part of `giving you more info'.
Not all of them are going to be stuff that is of a ready
association. Things that record function as well as malfunction
are potential avenues of exploitation too.

The problem is that the syslog facility is used diversely, and
that it's a basic system call.

On another note, most of the experimentation & checks for
explotations & such have focused on open source OS's &
of course Sun's stuff. I ran that "test" program on
my NeXT boxes and got no reaction out of it, but I havn't
seen where that was a cannonical check. I went back and
changed it to LOG_EMERG becasue the other log level is
broken on the NeXT syslogd... If I hadn't of known to
do that, well I wouldn't be sure I didn't have a problem.
That's part of the reason for exploit stuff. So everyone
can find out if they're screwed.

has anyone bothered to check IRIX, OSF, etc. etc. etc. ?

I'd like to see some sort of a robust test for the freaking
thing that wasn't platform dependent, or at least had good
assurance of adressing the problem.

Why is it that 8lgm warnings are starting to remind me of ~old~
CERT notices, and CERT notices are starting to look like
press releases done by the TV show "Hard Copy"? Probably
just my whacky perceptions... Really neither here nor there.


Tim


________________________________________________________________
tfs () vampire science gmu edu (NeXTmail, MIME)  Tim Scanlon
George Mason University     (PGP key avail.)  Public Affairs
I speak for myself, but often claim demonic possession