[970] in linux-announce channel archive
Final analysis of syslog threat under Linux
daemon@ATHENA.MIT.EDU (A.Cox)
Wed Aug 30 16:52:35 1995
Date: Tue, 29 Aug 95 23:12 BST
From: anarchy@thunder.swansea.linux.org.uk (A.Cox)
To: big-linux@netspace.org, bugtraq@crimelab.com, cert@cert.org,
hjl@nynexst.com, torvalds@cs.Helsinki.FI
Cc: linux-announce@vger.rutgers.edu, linux-security@tarsier.cv.nrao.edu
Summary:
Almost all old a.out, and probably no ELF systems vulnerable.
Detail:
Linux libc 4.6.27 and earlier (4.6.27 is the most distributed version)
contain a BSD style syslog with no checks. It reports (c) 1993 Regents of
UCB blah blah, Author Eric Allman.
These are directly vulnerable to all attacks. To see which libc your system
is using look in /lib for the version number on libc.so.x.y.z. For those
who have not seen the cert advisory we are talking a network exploitable bug
where it is possible to get root shell access to a remote system given a lot
of programming skill and knowledge.
Linux libc 4.7.2 and higher (as of May 1995) use snprintf correctly
to protect against attack. The snprintf code is badly written and hard to
follow but assorted test attacks indicate it appears to be reliable. The
syslog code however has a stupid oversight in it which renders attacks
where the format string is over 1K long viable, even though attacks via
format arguments are not. Since no program analysed feeds user data in
as the format string this is adequate for users.
All sites running NIS will be (I hope) running libc4.7.x already
as libc4.6.27 has other serious NIS security bugs.
Complete Fix:
Apply the following fix to libc4.7.2 and above
--misc/syslog.c
--- syslog.c~ Tue Aug 29 22:14:25 1995
+++ syslog.c Tue Aug 29 22:14:25 1995
@@ -194,7 +194,7 @@
register char ch, *t1;
char *strerror();
- for (t1 = fmt_cpy; (ch = *fmt) != '\0'; ++fmt)
+ for (t1 = fmt_cpy; (ch = *fmt) != '\0' && t1<fmt_cpy+sizeof(fmt_cpy); ++fmt)
if (ch == '%' && fmt[1] == 'm') {
++fmt;
t1 += snprintf(t1, sizeof(fmt_cpy)-(t1-fmt_cpy),
This prevents copying overruning the preformatting into the fmt_cpy buffer.
Status:
This fix is believed correct, however the snprintf code is too complex for
a formal verification of correctness in this time period. One should be done as
soon as possible. No attempt has been made to integrate the libc4.7.4 syslog code
with libc4.6.27. Given that libc4.7.4 is not a general user build, and that most
users will not be switching to libc5.x ELF yet, this should be done as soon as
possible.
Urgency:
This problem affects most Linux (and probably most unix systems)
and should be acted on immediately. Simply switching to libc4.7.2 will adequately
protect almost all users. Note that libc4.7.2 has some bugs but libc4.7.4 appears
more correct. Even though the built libc4.7.4 is in hjl's private area it should
be made available by all ftp sites ASAP.
Action:
Install libc4.7.2 or libc4.7.4 immediately if running libc4.6.27 or
earlier libraries. Recompile any statically linked superuser or network
exposed binaries built with the old library. This will adequately protect
analysed programs.
Linux users with non Linux systems should also read the CERT advisory
and contact their vendors immediately for fixes to other systems.
Trivial verification program for the Linux bug.
#include <stdio.h>
#include <syslog.h>
static char x[6]= {'H','E','L','L','O',0};
void main()
{
char buf[4096];
int ct;
for(ct=0;ct<4095;ct++)
buf[ct]='X';
openlog("testprog",LOG_PID, LOG_AUTHPRIV);
printf("Check snprintf\n");
snprintf(x,3,buf);
if(x[4]!='O')
fprintf(stderr,"snprintf is broken\n");
printf("Testing syslog\n");
syslog(LOG_ERR|LOG_USER,buf);
closelog();
}
Alan
