[syslog-ng]FW: [bugtraq] syslog-ng buffer overflow
Nicholas Berry
nberry@ragingwire.com
Thu, 10 Oct 2002 13:47:10 -0700
Baszi,
Have you (or your group) been notified about this? How valid is the =
solution given? Will this issue be addressed in the next 1.5 release?
Thanks,
Nicholas Berry
Systems Engineer
RagingWire Telecommunications, Inc.
nberry@ragingwire.com
-----Original Message-----
From: Holtzl Peter [mailto:holtzl.peter@balabit.hu]=20
Sent: Thursday, October 10, 2002 5:44 AM
To: bugtraq@securityfocus.com
Subject: syslog-ng buffer overflow
-------------------------------------------------------------------------=
---
PACKAGE : syslog-ng
VERSION : -1.4.15 (stable) and -1.5.20 (development)
SUMMARY : buffer overflow
TYPE : remote exploit
VULNERABLE: : exploitable (not in default configuration)
ZORP-OS SPECIFIC : No
ZSA-AUTHOR : Balazs Scheidler <balazs.scheidler@balabit.com>
ZSA-ID : ZSA-2002-014
DATE: : 2002-10-03 15:00
-------------------------------------------------------------------------=
---
BACKGROUND:
Syslog-NG is a portable syslog implementation. Its highlights include=20
regexp based log selection, TCP transport and more.
For more information: http://www.balabit.hu/en/downloads/syslog-ng/
Zorp OS is a Debian GNU/Linux based operating system hardened for =
running=20
Zorp Professional modular application level firewall suite. Its core
framework allows the administrator to finetune proxy decisions (with =
its
built-in script language), and fully analyze complex protocols =
including
SSL embedded protocols.
For more information: http://www.balabit.hu/en/products/ZorpPro/
DESCRIPTION:
To make it easier to specify message destinations, syslog-ng supports
macros in destination filenames as the following log snippet shows:
destination d_messages_by_host {
file("/var/log/$HOST/messages");
};
The same syntax is used when specifying the contents of destination =
files:
destination d_special_messages {
file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));
};
The problem lies in the way macro expansion handles constant =
characters.=20
(ie everything other than macro references). As syslog-ng expands =
macros=20
it usesa buffer, and a variable called 'left', which contains the =
number of
characters available in the buffer. When a constant character is =
appended,
this variable is not decremented, thus when expanding macros incorrect
bounds checking is performed.
IMPACT:
If templated filenames or templated output is used, it is possible to
overflow a buffer. The number of bytes exceeding the allocated buffer
depends on the exact template being used.
It is believed that this overflow can be exploited, given enough =
constant
characters are present in the template string.
SOLUTION:
Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
following patch:
diff -u -r1.52 -r1.53
--- affile.c 21 Aug 2002 14:03:50 -0000 1.52
+++ affile.c 27 Sep 2002 09:11:33 -0000 1.53
@@ -859,7 +859,7 @@
{ "SOURCEIP", M_SOURCE_IP }
};
char format[cfg->log_msg_size + 1], *format_ptr =3D format;
- int left =3D sizeof(format);
+ int left =3D sizeof(format) - 1;
int i, j;
i =3D 0;
@@ -888,6 +888,7 @@
*format_ptr =3D template->data[i];
format_ptr++;
i++;
+ left--;
}
}
*format_ptr =3D 0;
REFERENCES:
=20
1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
3. http://www.balabit.hu/en/downloads/syslog-ng/ =20
3. http://www.balabit.hu/en/products/ZorpPro/
H=F6ltzl P=E9ter
BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint:
holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F =
5A1F
http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 =
CFD6