Re: Linux vsyslog() overflow

[dann () GREYCAT COM (Dann Lunsford)]

In <199712210343.AAA02111 () false com>, on 12/21/97
   at 12:43 AM, Solar Designer <solar () FALSE COM> said:
> The buffer overflow is in vsyslog(), by the ident string previously set
> with openlog(). It is exploitable via some versions of /bin/su (for
> example, the version that comes with Slackware 3.1), and possibly some

As far as I can tell, su has been fixed in Slackware 3.4.

> other privileged processes that use user-supplied data in ident for
> openlog() -- could even be a daemon setting the ident to something like
> "daemon: username" (I don't know of any such examples though).



> I have verified this is exploitable in libc 5.4.23 and RedHat's 5.3.12-18
> that comes with RH 4.2, but is fixed in 5.4.38. It can't be exploited via
> /bin/su on standard RedHat setup though.

> Actually, the behavior of Slackware's /bin/su is quite stupid anyway:

> sunny:/tmp$ ln -s /bin/su kernel
> sunny:/tmp$ export PATH=.:$PATH
> sunny:/tmp$ kernel
> Password:
> sunny:/tmp# tail -1 /var/log/messages
> Dec 20 23:32:33 sunny kernel: root on /dev/ttyp1

Again, can't duplicate this under Slackware 3.4.

> No real security hole here, but this shows it was a stupid thing to use
> argv[0] for openlog().

Gotta agree here.

<snip>
> Since you should fix the vulnerability regardless if it's exploitable via
> your version of /bin/su or not, here's a tiny program for checking if
> your libc is vulnerable. If this segfaults, you're vulnerable.

> --- syslog-check.c ---
<snip>

Under Slackware 3.4, libc 5.4.33, this code causes
<BUFFER OVERUN ATTEMPT>: message
to be logged to syslog.


--
Dann Lunsford      * The only thing necessary for the triumph of evil *
dann () greycat com   * is that men of good will do nothing.  --  Cicero *
Hiroshima 45 -- Chernobyl 86 -- Windows 95