|
|
|
|
| |
| Syslog-ng is a portable syslog implementation. Its highlights include regexp based log selection, TCP transport and more. A security vulnerability in the product allows remote attackers to cause a Denial of Service against it. |
| |
Credit:
The information has been provided by Balazs Scheidler.
|
| |
Vulnerable systems:
Syslog-ng versions prior to and including 1.4.8
When syslog-ng parses log messages, a variable named "left" is used to store the remaining length of the log message. The priority part in the message should look like this:
<6>
When the line ends without the closing '>' this "left" variable becomes -1 due to a programming bug.
The remaining part of the message parsing routine checks if there's any characters left using the condition: left != 0, since -1 is not 0, this condition evaluates to true.
The newer versions of Syslog-ng (after 1.4.7) filter out the \r and \n characters from log messages, and replace them with spaces to avoid cluttering the log files. Due to a problem in the parsing of log messages, this character change may access inaccessible memory region. This causes a segmentation fault. So sending a "<6", terminated with a new line to one of the input channels causes a SIGSEGV.
Prior to 1.4.7, this character change was not implemented, so mounting a DoS attack is not so trivial, but is still possible.
Impact:
Sending a carefully crafted syslog packet may cause syslog-ng to exit with a Segmentation Fault.
Solution:
Upgrade syslog-ng to 1.4.9, which is a security upgrade, and changes nothing compared to 1.4.8 or apply this patch:
diff -urN syslog-ng-1.4.8/src/log.c syslog-ng-1.4.9/src/log.c
--- syslog-ng-1.4.8/src/log.c Tue Oct 10 15:05:52 2000
+++ syslog-ng-1.4.9/src/log.c Wed Nov 22 16:45:11 2000
@@ -67,8 +67,10 @@
left--;
}
lm->pri = pri;
- src++;
- left--;
+ if (left) {
+ src++;
+ left--;
+ }
}
else {
lm->pri = LOG_USER | LOG_NOTICE;
|
|
|
|
|
