[5849] in bugtraq
Re: Linux vsyslog() overflow
daemon@ATHENA.MIT.EDU (Dann Lunsford)
Mon Dec 22 13:35:33 1997
Date: Mon, 22 Dec 1997 08:59:42 -0800
Reply-To: Dann Lunsford <dann@GREYCAT.COM>
From: Dann Lunsford <dann@GREYCAT.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199712210343.AAA02111@false.com>
In <199712210343.AAA02111@false.com>, on 12/21/97
at 12:43 AM, Solar Designer <solar@FALSE.COM> said:
>The buffer overflow is in vsyslog(), by the ident string previously set
>with openlog(). It is exploitable via some versions of /bin/su (for
>example, the version that comes with Slackware 3.1), and possibly some
As far as I can tell, su has been fixed in Slackware 3.4.
>other privileged processes that use user-supplied data in ident for
>openlog() -- could even be a daemon setting the ident to something like
>"daemon: username" (I don't know of any such examples though).
>I have verified this is exploitable in libc 5.4.23 and RedHat's 5.3.12-18
>that comes with RH 4.2, but is fixed in 5.4.38. It can't be exploited via
>/bin/su on standard RedHat setup though.
>Actually, the behavior of Slackware's /bin/su is quite stupid anyway:
>sunny:/tmp$ ln -s /bin/su kernel
>sunny:/tmp$ export PATH=.:$PATH
>sunny:/tmp$ kernel
>Password:
>sunny:/tmp# tail -1 /var/log/messages
>Dec 20 23:32:33 sunny kernel: root on /dev/ttyp1
Again, can't duplicate this under Slackware 3.4.
>No real security hole here, but this shows it was a stupid thing to use
>argv[0] for openlog().
Gotta agree here.
<snip>
>Since you should fix the vulnerability regardless if it's exploitable via
>your version of /bin/su or not, here's a tiny program for checking if
>your libc is vulnerable. If this segfaults, you're vulnerable.
>--- syslog-check.c ---
<snip>
Under Slackware 3.4, libc 5.4.33, this code causes
<BUFFER OVERUN ATTEMPT>: message
to be logged to syslog.
--
Dann Lunsford * The only thing necessary for the triumph of evil *
dann@greycat.com * is that men of good will do nothing. -- Cicero *
Hiroshima 45 -- Chernobyl 86 -- Windows 95
