Bugtraq mailing list archives
Re: Linux vsyslog() overflow
From: dann () GREYCAT COM (Dann Lunsford)
Date: Mon, 22 Dec 1997 08:59:42 -0800
In <199712210343.AAA02111 () false com>, on 12/21/97 at 12:43 AM, Solar Designer <solar () FALSE COM> said:
The buffer overflow is in vsyslog(), by the ident string previously set with openlog(). It is exploitable via some versions of /bin/su (for example, the version that comes with Slackware 3.1), and possibly some
As far as I can tell, su has been fixed in Slackware 3.4.
other privileged processes that use user-supplied data in ident for openlog() -- could even be a daemon setting the ident to something like "daemon: username" (I don't know of any such examples though).
I have verified this is exploitable in libc 5.4.23 and RedHat's 5.3.12-18 that comes with RH 4.2, but is fixed in 5.4.38. It can't be exploited via /bin/su on standard RedHat setup though.
Actually, the behavior of Slackware's /bin/su is quite stupid anyway:
sunny:/tmp$ ln -s /bin/su kernel sunny:/tmp$ export PATH=.:$PATH sunny:/tmp$ kernel Password: sunny:/tmp# tail -1 /var/log/messages Dec 20 23:32:33 sunny kernel: root on /dev/ttyp1
Again, can't duplicate this under Slackware 3.4.
No real security hole here, but this shows it was a stupid thing to use argv[0] for openlog().
Gotta agree here. <snip>
Since you should fix the vulnerability regardless if it's exploitable via your version of /bin/su or not, here's a tiny program for checking if your libc is vulnerable. If this segfaults, you're vulnerable.
--- syslog-check.c ---
<snip> Under Slackware 3.4, libc 5.4.33, this code causes <BUFFER OVERUN ATTEMPT>: message to be logged to syslog. -- Dann Lunsford * The only thing necessary for the triumph of evil * dann () greycat com * is that men of good will do nothing. -- Cicero * Hiroshima 45 -- Chernobyl 86 -- Windows 95
Current thread:
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Steve Bellovin (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Kragen (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Tim Newsham (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)
- Linux vsyslog() overflow Solar Designer (Dec 20)
- Re: Linux vsyslog() overflow Dann Lunsford (Dec 22)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Mark Whitis (Dec 30)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Ranaur the Elven Warlock (Dec 30)
- Apache memory/process management. MichaĆ Zalewski (Dec 31)
- Re: Apache memory/process management. Dean Gaudet (Dec 31)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)