Local users can cause Linux kernel to panic (syslogd)
30 Nov. 1999
Summary
The syslogd server uses a Unix Domain stream socket (/dev/log) for receiving local log messages via syslog(3). Unix Domain stream sockets require that one process will serve each client. Therefore, by opening a lot of local syslog connections a user could cause the operating system to stop responding.
Credit:
The vulnerability has been reported by: Mixter.
The impact of the syslogd Denial Of Service vulnerability seems to be bigger than expected. It was found that syslog could not be stopped from responding by one or a few connections, since it uses select() calls to synchronously manage the connections to /dev/log. The attached code makes about 2000 connects to syslog, using multiple processes, causing the system to instantly die with the message: 'Kernel panic: can't push onto full stack'
It is possible to reproduce this with a non-root user, although it needs to be done two times to overcome the stronger user resource limits. This has been tested with Linux 2.0.38+syslog1.3 (RedHat 5.2).
As a temporary fix, (beside upgrading) it is strongly advised that everyone who hasn't to set proper user resource limits.
Solution
Upgrade to the latest version of syslogd (depending on your Linux distribution):
Exploit code:
The following exploit code can help you test your system against the mentioned vulnerability:
/*
*
* shutup - syslogd 1.3 denial of service
* by Mixter <mixter@newyorkoffice.com>
*
* This opens up to 2000 unix domain socket connections
* to /dev/log, attempting to stop syslog from responding.
* WARNING: This apparently causes the kernel to panic!
* You might have to run this 2 times to reproduce it as non-root.
* This code is for educational purposes only, do not abuse.
*
*/
