[2196] in bugtraq
Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
daemon@ATHENA.MIT.EDU (Christian Wettergren)
Fri Sep 1 06:13:53 1995
Date: Tue, 29 Aug 1995 18:47:50 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Christian Wettergren <cwe@Csli.Stanford.EDU>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of Tue, 29 Aug 1995 10:32:05 BST.
<199508290932.KAA12873@puffball.demon.co.uk>
I put together a list of potential problems after a brief glance at
4.3BSD code. These problems are probably inherited into commercial
systems. Most modern systems log even more than 4.3 does.
* Sendmail
as have already been stated.
* ftpd
I guess improved ftpd might be using syslog.
The standard ftpd does use it extensively when run in debug mode.
And you enter usernames and paths etc all over.
* remote hostnames and DNS games
Most daemons log a DNS mismatch, but MAXHOSTNAME is usually small
enough. This shouldn't be a problem.
* Any RPC daemon run in some kind of debug mode
Many of them do a lot of logging of usre data when run in debug or
logging mode, for example rpc.lockd, rpc.bootparamd etc
* rpc.bootparamd
There are extensive use of user-supplied RPC data.
* rpc.lockd
There is at least one place where a user-supplied data is
syslog()ed, not counting DEBUG ones. DEBUG mode can however be
enabled remotely, so one has to count with them all.
* rpc.mountd
There is some logging done for failed operations.
* rpc.statd
use extensive logging, but depends on whether compiled with -DDEBUG
or not. Standard SunOS binary is.
Found errors being logged, with user data supplied.
* lpd
by supplying an invalid printer name.
Uncertain ones:
* bind (not verified)
would surprise me if bind didn't have a lot of "dangerous" logging,
since it is a decent piece of code. (This one really works back-
wards. Nasty.)
* popper
supplying the wrong user name should perhaps do it.
* other stuff in inetd.conf...
* nntpd?
* gopher?
* httpd should be safe, it doesn't use syslog, as far as I remember.
* most /bin/login's should be safe, I think. They only accept limited
length usernames.
* nfsd in kernel? It does quite a lot logging if nfsdebug is turned
on.
I might very well be wrong on these, either way. Also note that it
is a rather old source I've looked at, 4.3 BSD. I guess one should
make a similar list for each OS, and start recompiling.
/Christian
