In Linux, all the kernel messages enter into the klog daemon via the /proc/kmsg buffer (4 KB cyclic ring), where they enter via the printk() function. This buffer seems unexploitable, but because klogd copies the 4 KB buffer into 1 KB lines (by looking for the '\n' character) a buffer overflow can happen, if u send a long list of characters without using a '\n' character.
A buffer overflow can be caused in various systems including: RedHat 5.x (up to release 22) and Slackware 3.x, by sending a very long kernel message or a lot of small messages without ever sending the character '\n'.
Two possible ways exist to exploit this bug:
1) Look in to the kernel source code to find printk() functions and cause the modules to generate those messages overflowing the klogd's buffer.
2) Find a printk() function where an environmental parameter is used (usually /proc/filename), then simply overwrite that environmental parameter with arbitrary code to cause a privileged shell to appear.
To test whether you are affected or not, use the following code:
