[syslog-ng]FW: [bugtraq] syslog-ng buffer overflow
Nate Campi
nate@campin.net
Thu, 10 Oct 2002 13:51:53 -0700
Baszi announced it here already:
http://lists.balabit.hu/pipermail/syslog-ng/2002-September/003877.html
On Thu, Oct 10, 2002 at 01:47:10PM -0700, Nicholas Berry wrote:
> Baszi,
> Have you (or your group) been notified about this? How valid is the solution given? Will this issue be addressed in the next 1.5 release?
>
> Thanks,
>
> Nicholas Berry
> Systems Engineer
> RagingWire Telecommunications, Inc.
> nberry@ragingwire.com
>
>
>
> -----Original Message-----
> From: Holtzl Peter [mailto:holtzl.peter@balabit.hu]
> Sent: Thursday, October 10, 2002 5:44 AM
> To: bugtraq@securityfocus.com
> Subject: syslog-ng buffer overflow
>
>
> ----------------------------------------------------------------------------
> PACKAGE : syslog-ng
> VERSION : -1.4.15 (stable) and -1.5.20 (development)
> SUMMARY : buffer overflow
> TYPE : remote exploit
> VULNERABLE: : exploitable (not in default configuration)
> ZORP-OS SPECIFIC : No
> ZSA-AUTHOR : Balazs Scheidler <balazs.scheidler@balabit.com>
> ZSA-ID : ZSA-2002-014
> DATE: : 2002-10-03 15:00
> ----------------------------------------------------------------------------
>
> BACKGROUND:
>
> Syslog-NG is a portable syslog implementation. Its highlights include
> regexp based log selection, TCP transport and more.
> For more information: http://www.balabit.hu/en/downloads/syslog-ng/
>
> Zorp OS is a Debian GNU/Linux based operating system hardened for running
> Zorp Professional modular application level firewall suite. Its core
> framework allows the administrator to finetune proxy decisions (with its
> built-in script language), and fully analyze complex protocols including
> SSL embedded protocols.
> For more information: http://www.balabit.hu/en/products/ZorpPro/
>
> DESCRIPTION:
>
> To make it easier to specify message destinations, syslog-ng supports
> macros in destination filenames as the following log snippet shows:
>
> destination d_messages_by_host {
> file("/var/log/$HOST/messages");
> };
>
> The same syntax is used when specifying the contents of destination files:
>
> destination d_special_messages {
> file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));
> };
>
> The problem lies in the way macro expansion handles constant characters.
> (ie everything other than macro references). As syslog-ng expands macros
> it usesa buffer, and a variable called 'left', which contains the number of
> characters available in the buffer. When a constant character is appended,
> this variable is not decremented, thus when expanding macros incorrect
> bounds checking is performed.
>
> IMPACT:
>
> If templated filenames or templated output is used, it is possible to
> overflow a buffer. The number of bytes exceeding the allocated buffer
> depends on the exact template being used.
>
> It is believed that this overflow can be exploited, given enough constant
> characters are present in the template string.
>
> SOLUTION:
>
> Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
> following patch:
>
> diff -u -r1.52 -r1.53
> --- affile.c 21 Aug 2002 14:03:50 -0000 1.52
> +++ affile.c 27 Sep 2002 09:11:33 -0000 1.53
> @@ -859,7 +859,7 @@
> { "SOURCEIP", M_SOURCE_IP }
> };
> char format[cfg->log_msg_size + 1], *format_ptr = format;
> - int left = sizeof(format);
> + int left = sizeof(format) - 1;
> int i, j;
>
> i = 0;
> @@ -888,6 +888,7 @@
> *format_ptr = template->data[i];
> format_ptr++;
> i++;
> + left--;
> }
> }
> *format_ptr = 0;
>
> REFERENCES:
>
> 1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
> 3. http://www.balabit.hu/en/downloads/syslog-ng/
> 3. http://www.balabit.hu/en/products/ZorpPro/
>
>
> H?ltzl P?ter
>
> BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint:
> holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F
> http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6
>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
--
"If a trainstation is where the train stops, what's a workstation...?"
-Anon.