On Thu, 18 Nov 1999, Mixter wrote:
> The impact of the syslogd Denial Of Service vulnerability seems to
> be bigger than expected. I found that syslog could not be stopped from
> responding by one or a few connections, since it uses select() calls
> to synchronously manage the connections to /dev/log. I made an attempt
> with the attached test code, which makes about 2000 connects to syslog,
> using multiple processes, and my system instantly died with the message:
> 'Kernel panic: can't push onto full stack'
Attack can be easily stopped (as well as lusers' ability to write anything
as eg. kernel to system logs) by doing something like: groupadd log; chmod
660 /dev/log; chown root.log /dev/log, then by carefully choosing 'log'
group members. Otherwise, something like:
logger -p 0 -t kernel "I'm hungry"
...will result in:
Jul 17 03:18:44 nimue kernel: I'm hungry
...in /var/log/messages and on console ;) But probably it has been
discussed many times, just an idea how to fix it without replacing system
logger and kernel to add getpeeruid() support.
_______________________________________________________________________
Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:46 PDT