80636 2002-10-10 22:08 /96 rader/ Holtzl Peter <holtzl.peter@balabit.hu>
Importerad: 2002-10-10 22:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: holtzl.peter@balabit.hu
Mottagare: Bugtraq (import) <1884>
Ärende: syslog-ng buffer overflow
------------------------------------------------------------
----------------------------------------------------------------------------
PACKAGE : syslog-ng
VERSION : -1.4.15 (stable) and -1.5.20 (development)
SUMMARY : buffer overflow
TYPE : remote exploit
VULNERABLE: : exploitable (not in default configuration)
ZORP-OS SPECIFIC : No
ZSA-AUTHOR : Balazs Scheidler <balazs.scheidler@balabit.com>
ZSA-ID : ZSA-2002-014
DATE: : 2002-10-03 15:00
----------------------------------------------------------------------------
BACKGROUND:
Syslog-NG is a portable syslog implementation. Its highlights
include regexp based log selection, TCP transport and more. For
more information: http://www.balabit.hu/en/downloads/syslog-ng/
Zorp OS is a Debian GNU/Linux based operating system hardened for
running Zorp Professional modular application level firewall
suite. Its core framework allows the administrator to finetune
proxy decisions (with its built-in script language), and fully
analyze complex protocols including SSL embedded protocols. For
more information: http://www.balabit.hu/en/products/ZorpPro/
DESCRIPTION:
To make it easier to specify message destinations, syslog-ng
supports macros in destination filenames as the following log
snippet shows:
destination d_messages_by_host {
file("/var/log/$HOST/messages");
};
The same syntax is used when specifying the contents of destination
files:
destination d_special_messages {
file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));
};
The problem lies in the way macro expansion handles constant
characters. (ie everything other than macro references). As
syslog-ng expands macros it usesa buffer, and a variable called
'left', which contains the number of characters available in the
buffer. When a constant character is appended, this variable is not
decremented, thus when expanding macros incorrect bounds checking
is performed.
IMPACT:
If templated filenames or templated output is used, it is possible
to overflow a buffer. The number of bytes exceeding the allocated
buffer depends on the exact template being used.
It is believed that this overflow can be exploited, given enough
constant characters are present in the template string.
SOLUTION:
Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
following patch:
diff -u -r1.52 -r1.53
--- affile.c 21 Aug 2002 14:03:50 -0000 1.52
+++ affile.c 27 Sep 2002 09:11:33 -0000 1.53
@@ -859,7 +859,7 @@
{ "SOURCEIP", M_SOURCE_IP }
};
char format[cfg->log_msg_size + 1], *format_ptr = format;
- int left = sizeof(format);
+ int left = sizeof(format) - 1;
int i, j;
i = 0;
@@ -888,6 +888,7 @@
*format_ptr = template->data[i];
format_ptr++;
i++;
+ left--;
}
}
*format_ptr = 0;
REFERENCES:
1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
3. http://www.balabit.hu/en/downloads/syslog-ng/
3. http://www.balabit.hu/en/products/ZorpPro/
Höltzl Péter
BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint:
holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F
http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6
(80636) /Holtzl Peter <holtzl.peter@balabit.hu>/(Ombruten)