Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

syslog-ng buffer overflow

From: Holtzl Peter <holtzl.peter () balabit hu>
Date: Thu, 10 Oct 2002 14:44:00 +0200
----------------------------------------------------------------------------
PACKAGE           : syslog-ng
VERSION           : -1.4.15 (stable) and -1.5.20 (development)
SUMMARY           : buffer overflow
TYPE              : remote exploit
VULNERABLE:       : exploitable (not in default configuration)
ZORP-OS SPECIFIC  : No
ZSA-AUTHOR        : Balazs Scheidler <balazs.scheidler () balabit com>
ZSA-ID            : ZSA-2002-014
DATE:             : 2002-10-03 15:00
----------------------------------------------------------------------------

BACKGROUND:

  Syslog-NG is a portable syslog implementation. Its highlights include 
  regexp based log selection, TCP transport and more.
  For more information: http://www.balabit.hu/en/downloads/syslog-ng/

  Zorp OS is a Debian GNU/Linux based operating system hardened for running 
  Zorp Professional modular application level firewall suite. Its core
  framework allows the administrator to finetune proxy decisions (with its
  built-in script language), and fully analyze complex protocols including
  SSL embedded protocols.
  For more information: http://www.balabit.hu/en/products/ZorpPro/

DESCRIPTION:

  To make it easier to specify message destinations, syslog-ng supports
  macros in destination filenames as the following log snippet shows:

  destination d_messages_by_host {
        file("/var/log/$HOST/messages");
  };

  The same syntax is used when specifying the contents of destination files:

  destination d_special_messages {
        file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));
  };

  The problem lies in the way macro expansion handles constant characters. 
  (ie everything other than macro references). As syslog-ng expands macros 
  it usesa buffer, and a variable called 'left', which contains the number of
  characters available in the buffer. When a constant character is appended,
  this variable is not decremented, thus when expanding macros incorrect
  bounds checking is performed.

IMPACT:

  If templated filenames or templated output is used, it is possible to
  overflow a buffer. The number of bytes exceeding the allocated buffer
  depends on the exact template being used.

  It is believed that this overflow can be exploited, given enough constant
  characters are present in the template string.

SOLUTION:

  Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
  following patch:

diff -u -r1.52 -r1.53
--- affile.c    21 Aug 2002 14:03:50 -0000      1.52
+++ affile.c    27 Sep 2002 09:11:33 -0000      1.53
@@ -859,7 +859,7 @@
                { "SOURCEIP", M_SOURCE_IP }
        };
        char format[cfg->log_msg_size + 1], *format_ptr = format;
-       int left = sizeof(format);
+       int left = sizeof(format) - 1;
        int i, j;

        i = 0;
@@ -888,6 +888,7 @@
                        *format_ptr = template->data[i];
                        format_ptr++;
                        i++;
+                       left--;
                }
        }
        *format_ptr = 0;

REFERENCES:
  
  1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
  3. http://www.balabit.hu/en/downloads/syslog-ng/  
  3. http://www.balabit.hu/en/products/ZorpPro/


Höltzl Péter

BalaBit IT Kft          | Tel:   +36  1 371-0540 | GnuPG Fingerprint:
holtzl.peter () balabit hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F
http://www.balabit.hu/  | Fax:   +36  1 208-0875 | 4586 CEAF 9678 4A89 CFD6
Previous By Date Next
Previous By Thread Next

Current thread: