On Thu, 18 Nov 1999, Mixter wrote: > The impact of the syslogd Denial Of Service vulnerability seems to > be bigger than expected. I found that syslog could not be stopped from > responding by one or a few connections, since it uses select() calls > to synchronously manage the connections to /dev/log. I made an attempt > with the attached test code, which makes about 2000 connects to syslog, > using multiple processes, and my system instantly died with the message: > 'Kernel panic: can't push onto full stack' Attack can be easily stopped (as well as lusers' ability to write anything as eg. kernel to system logs) by doing something like: groupadd log; chmod 660 /dev/log; chown root.log /dev/log, then by carefully choosing 'log' group members. Otherwise, something like: logger -p 0 -t kernel "I'm hungry" ...will result in: Jul 17 03:18:44 nimue kernel: I'm hungry ...in /var/log/messages and on console ;) But probably it has been discussed many times, just an idea how to fix it without replacing system logger and kernel to add getpeeruid() support. _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:46 PDT