File: dos-2000-11-22.txt

package info (click to toggle)
syslog-ng 2.0.0-1etch1
  • links: PTS
  • area: main
  • in suites: etch
  • size: 1,844 kB
  • ctags: 2,014
  • sloc: ansic: 9,125; xml: 2,125; sh: 1,210; yacc: 741; lex: 278; makefile: 191; awk: 94; python: 85; perl: 49
file content (69 lines) | stat: -rw-r--r-- 2,205 bytes parent folder | download | duplicates (13) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 

BalaBit security advisory
Advisory ID: BB-2000/01

Package: 		syslog-ng
Versions affected: 	versions prior to and including 1.4.8
Problem type: 		remote DoS attack
Date:			2000-11-22

1) Background

syslog-ng is a portable syslog implementation. Its highlights include regexp
based log selection, TCP transport and more. For more information: 
http://www.balabit.hu/products/syslog-ng/

2) Problem description

When syslog-ng parses log messages a variable named "left" is used to store
the remaining length of the log message. The priority part in the message
should look like this:

<6>

When the line ends without the closing '>' this "left" variable becomes -1
due a to a bug.

The remaining part of the message parsing routine checks if there's any
characters left using the condition: left != 0, since -1 is not 0, this
condition evaluates to true.

Syslog-ng versions after 1.4.7 filters out \r and \n characters from log
messages and replaces them with spaces to avoid cluttering logfiles. Due to
a problem in the parsing of log messages, this character change may access
unaccessible memory region. This causes a segmentation fault. So sending a
"<6", terminated with a newline to one of the input channels causes a
SIGSEGV.

Prior to 1.4.7, this character change was not implemented, so mounting a DoS
attack is not so trivial, but is still possible. (it's left to the reader as
an exercise)

It is believed that no other exploitation is possible.

3) Impact

Sending a carefully crafted syslog packet may cause syslog-ng to exit with a
Segmentation Fault.

4) Solution

Upgrade syslog-ng to 1.4.9, which is a security upgrade, and changes nothing
compared to 1.4.8 or apply this patch:

diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
--- syslog-ng-1.4.8/src/log.c   Tue Oct 10 15:05:52 2000
+++ syslog-ng-1.4.9/src/log.c   Wed Nov 22 16:45:11 2000
@@ -67,8 +67,10 @@
                        left--;
                }
                lm->pri = pri;
-               src++;
-               left--;
+               if (left) {
+                       src++;
+                       left--;
+               }
        }
        else {
                lm->pri = LOG_USER | LOG_NOTICE;