[12683] in bugtraq

home help back first fref pref prev next nref lref last post

Re: local users can panic linux kernel (was: SuSE syslogd

daemon@ATHENA.MIT.EDU (Michal Zalewski)
Mon Nov 22 16:58:22 1999

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <lcamtuf.4.05.9907170315120.406-100000@nimue.ids.pl>
Date:         Sat, 17 Jul 1999 03:21:57 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

On Thu, 18 Nov 1999, Mixter wrote:

> The impact of the syslogd Denial Of Service vulnerability seems to
> be bigger than expected. I found that syslog could not be stopped from
> responding by one or a few connections, since it uses select() calls
> to synchronously manage the connections to /dev/log. I made an attempt
> with the attached test code, which makes about 2000 connects to syslog,
> using multiple processes, and my system instantly died with the message:
> 'Kernel panic: can't push onto full stack'

Attack can be easily stopped (as well as lusers' ability to write anything
as eg. kernel to system logs) by doing something like: groupadd log; chmod
660 /dev/log; chown root.log /dev/log, then by carefully choosing 'log'
group members. Otherwise, something like:

logger -p 0 -t kernel "I'm hungry"

...will result in:

Jul 17 03:18:44 nimue kernel: I'm hungry

...in /var/log/messages and on console ;) But probably it has been
discussed many times, just an idea how to fix it without replacing system
logger and kernel to add getpeeruid() support.

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

home help back first fref pref prev next nref lref last post