---------------------------------------------------------------------------- PACKAGE : syslog-ng VERSION : -1.4.15 (stable) and -1.5.20 (development) SUMMARY : buffer overflow TYPE : remote exploit VULNERABLE: : exploitable (not in default configuration) ZORP-OS SPECIFIC : No ZSA-AUTHOR : Balazs Scheidler <balazs.scheidlerat_private> ZSA-ID : ZSA-2002-014 DATE: : 2002-10-03 15:00 ---------------------------------------------------------------------------- BACKGROUND: Syslog-NG is a portable syslog implementation. Its highlights include regexp based log selection, TCP transport and more. For more information: http://www.balabit.hu/en/downloads/syslog-ng/ Zorp OS is a Debian GNU/Linux based operating system hardened for running Zorp Professional modular application level firewall suite. Its core framework allows the administrator to finetune proxy decisions (with its built-in script language), and fully analyze complex protocols including SSL embedded protocols. For more information: http://www.balabit.hu/en/products/ZorpPro/ DESCRIPTION: To make it easier to specify message destinations, syslog-ng supports macros in destination filenames as the following log snippet shows: destination d_messages_by_host { file("/var/log/$HOST/messages"); }; The same syntax is used when specifying the contents of destination files: destination d_special_messages { file("/var/log/messages" template("$ISODATE $HOST $MSG\n")); }; The problem lies in the way macro expansion handles constant characters. (ie everything other than macro references). As syslog-ng expands macros it usesa buffer, and a variable called 'left', which contains the number of characters available in the buffer. When a constant character is appended, this variable is not decremented, thus when expanding macros incorrect bounds checking is performed. IMPACT: If templated filenames or templated output is used, it is possible to overflow a buffer. The number of bytes exceeding the allocated buffer depends on the exact template being used. It is believed that this overflow can be exploited, given enough constant characters are present in the template string. SOLUTION: Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the following patch: diff -u -r1.52 -r1.53 --- affile.c 21 Aug 2002 14:03:50 -0000 1.52 +++ affile.c 27 Sep 2002 09:11:33 -0000 1.53 @@ -859,7 +859,7 @@ { "SOURCEIP", M_SOURCE_IP } }; char format[cfg->log_msg_size + 1], *format_ptr = format; - int left = sizeof(format); + int left = sizeof(format) - 1; int i, j; i = 0; @@ -888,6 +888,7 @@ *format_ptr = template->data[i]; format_ptr++; i++; + left--; } } *format_ptr = 0; REFERENCES: 1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt 3. http://www.balabit.hu/en/downloads/syslog-ng/ 3. http://www.balabit.hu/en/products/ZorpPro/ Höltzl Péter BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peterat_private | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 13:08:19 PDT