Bugtraq mailing list archives
More on Red Hat 6.1 sysklogd
From: dfs () ROARINGPENGUIN COM (David F. Skoll)
Date: Sun, 19 Dec 1999 13:04:42 -0500
Red Hat has a security advisory at http://www.redhat.com/support/errata/RHSA1999055-01.html detailing a DoS attack against syslogd. There is an even more compelling reason to upgrade: After my logs were rotated, I noticed that the background chatter of script kiddies probing my firewall ceased. It turns out that when syslogd is sent a HUP signal, it closes and recreates the /dev/log socket. If this is a stream socket, then klogd (the daemon responsible for forwaring kernel log messages) fails. Basically, after your logs are rotated, all kernel log messages are lost. Update your syslogd now. This is an strace of the problem: $ strace -p 22240 # I'm tracing the "klogd" process # A kernel log message is generated read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118 # klogd gets a time stamp time([945571294]) = 945571294 # klogd writes it to syslog write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143 # Now send syslogd a HUP signal $ kill -1 19141 # And continue with the strace # A kernel log message is generated read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118 # klogd gets a time stamp time([945571432]) = 945571432 # But the write fails and the log message is lost! write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET (Connection reset by peer) The new syslogd uses a datagram socket, I think, so doesn't suffer from this problem. -- David F. Skoll | Roaring Penguin Software Inc. http://www.roaringpenguin.com | Linux and UNIX Specialists
Current thread:
- FreeBSD 3.3 xsoldier root exploit, (continued)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- ssh/rsaref bo exploit code Iván Arce (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
- More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
- Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
- Netscape password scrambling Gary McGraw (Dec 20)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Holger van Lengerich (Dec 20)
- Microsoft Security Bulletin (MS99-059) Microsoft Product Security (Dec 20)
- (Possible) Linuxconf Remote Buffer Overflow Vulnerability Elias Levy (Dec 21)
- Infoseek Ultraseek Remote Buffer Overflow luciano (Dec 16)
- Re: Infoseek Ultraseek Remote Buffer Overflow Marc (Dec 16)