FW: [bugtraq] syslog-ng buffer overflow
Baszi, Have you (or your group) been notified about this? How valid is the solution given? Will this issue be addressed in the next 1.5 release? Thanks, Nicholas Berry Systems Engineer RagingWire Telecommunications, Inc. nberry@ragingwire.com -----Original Message----- From: Holtzl Peter [mailto:holtzl.peter@balabit.hu] Sent: Thursday, October 10, 2002 5:44 AM To: bugtraq@securityfocus.com Subject: syslog-ng buffer overflow ---------------------------------------------------------------------------- PACKAGE : syslog-ng VERSION : -1.4.15 (stable) and -1.5.20 (development) SUMMARY : buffer overflow TYPE : remote exploit VULNERABLE: : exploitable (not in default configuration) ZORP-OS SPECIFIC : No ZSA-AUTHOR : Balazs Scheidler <balazs.scheidler@balabit.com> ZSA-ID : ZSA-2002-014 DATE: : 2002-10-03 15:00 ---------------------------------------------------------------------------- BACKGROUND: Syslog-NG is a portable syslog implementation. Its highlights include regexp based log selection, TCP transport and more. For more information: http://www.balabit.hu/en/downloads/syslog-ng/ Zorp OS is a Debian GNU/Linux based operating system hardened for running Zorp Professional modular application level firewall suite. Its core framework allows the administrator to finetune proxy decisions (with its built-in script language), and fully analyze complex protocols including SSL embedded protocols. For more information: http://www.balabit.hu/en/products/ZorpPro/ DESCRIPTION: To make it easier to specify message destinations, syslog-ng supports macros in destination filenames as the following log snippet shows: destination d_messages_by_host { file("/var/log/$HOST/messages"); }; The same syntax is used when specifying the contents of destination files: destination d_special_messages { file("/var/log/messages" template("$ISODATE $HOST $MSG\n")); }; The problem lies in the way macro expansion handles constant characters. (ie everything other than macro references). As syslog-ng expands macros it usesa buffer, and a variable called 'left', which contains the number of characters available in the buffer. When a constant character is appended, this variable is not decremented, thus when expanding macros incorrect bounds checking is performed. IMPACT: If templated filenames or templated output is used, it is possible to overflow a buffer. The number of bytes exceeding the allocated buffer depends on the exact template being used. It is believed that this overflow can be exploited, given enough constant characters are present in the template string. SOLUTION: Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the following patch: diff -u -r1.52 -r1.53 --- affile.c 21 Aug 2002 14:03:50 -0000 1.52 +++ affile.c 27 Sep 2002 09:11:33 -0000 1.53 @@ -859,7 +859,7 @@ { "SOURCEIP", M_SOURCE_IP } }; char format[cfg->log_msg_size + 1], *format_ptr = format; - int left = sizeof(format); + int left = sizeof(format) - 1; int i, j; i = 0; @@ -888,6 +888,7 @@ *format_ptr = template->data[i]; format_ptr++; i++; + left--; } } *format_ptr = 0; REFERENCES: 1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt 3. http://www.balabit.hu/en/downloads/syslog-ng/ 3. http://www.balabit.hu/en/products/ZorpPro/ Höltzl Péter BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6
Baszi announced it here already: http://lists.balabit.hu/pipermail/syslog-ng/2002-September/003877.html On Thu, Oct 10, 2002 at 01:47:10PM -0700, Nicholas Berry wrote:
Baszi, Have you (or your group) been notified about this? How valid is the solution given? Will this issue be addressed in the next 1.5 release?
Thanks,
Nicholas Berry Systems Engineer RagingWire Telecommunications, Inc. nberry@ragingwire.com
-----Original Message----- From: Holtzl Peter [mailto:holtzl.peter@balabit.hu] Sent: Thursday, October 10, 2002 5:44 AM To: bugtraq@securityfocus.com Subject: syslog-ng buffer overflow
---------------------------------------------------------------------------- PACKAGE : syslog-ng VERSION : -1.4.15 (stable) and -1.5.20 (development) SUMMARY : buffer overflow TYPE : remote exploit VULNERABLE: : exploitable (not in default configuration) ZORP-OS SPECIFIC : No ZSA-AUTHOR : Balazs Scheidler <balazs.scheidler@balabit.com> ZSA-ID : ZSA-2002-014 DATE: : 2002-10-03 15:00 ----------------------------------------------------------------------------
BACKGROUND:
Syslog-NG is a portable syslog implementation. Its highlights include regexp based log selection, TCP transport and more. For more information: http://www.balabit.hu/en/downloads/syslog-ng/
Zorp OS is a Debian GNU/Linux based operating system hardened for running Zorp Professional modular application level firewall suite. Its core framework allows the administrator to finetune proxy decisions (with its built-in script language), and fully analyze complex protocols including SSL embedded protocols. For more information: http://www.balabit.hu/en/products/ZorpPro/
DESCRIPTION:
To make it easier to specify message destinations, syslog-ng supports macros in destination filenames as the following log snippet shows:
destination d_messages_by_host { file("/var/log/$HOST/messages"); };
The same syntax is used when specifying the contents of destination files:
destination d_special_messages { file("/var/log/messages" template("$ISODATE $HOST $MSG\n")); };
The problem lies in the way macro expansion handles constant characters. (ie everything other than macro references). As syslog-ng expands macros it usesa buffer, and a variable called 'left', which contains the number of characters available in the buffer. When a constant character is appended, this variable is not decremented, thus when expanding macros incorrect bounds checking is performed.
IMPACT:
If templated filenames or templated output is used, it is possible to overflow a buffer. The number of bytes exceeding the allocated buffer depends on the exact template being used.
It is believed that this overflow can be exploited, given enough constant characters are present in the template string.
SOLUTION:
Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the following patch:
diff -u -r1.52 -r1.53 --- affile.c 21 Aug 2002 14:03:50 -0000 1.52 +++ affile.c 27 Sep 2002 09:11:33 -0000 1.53 @@ -859,7 +859,7 @@ { "SOURCEIP", M_SOURCE_IP } }; char format[cfg->log_msg_size + 1], *format_ptr = format; - int left = sizeof(format); + int left = sizeof(format) - 1; int i, j;
i = 0; @@ -888,6 +888,7 @@ *format_ptr = template->data[i]; format_ptr++; i++; + left--; } } *format_ptr = 0;
REFERENCES:
1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt 3. http://www.balabit.hu/en/downloads/syslog-ng/ 3. http://www.balabit.hu/en/products/ZorpPro/
H?ltzl P?ter
BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- "If a trainstation is where the train stops, what's a workstation...?" -Anon.
participants (2)
-
Nate Campi
-
Nicholas Berry