SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Syslog-ng Vendors:   Scheidler, Balazs
Syslog-ng Buffer Overflow in Macro Expansion of Template Names May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1005404
SecurityTracker URL:  http://securitytracker.com/id/1005404
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 10 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.15 (stable); 1.5.20 (development)
Description:   A buffer overflow vulnerability was reported in syslog-ng. A remote user may be able to cause the daemon to crash or to execute arbitrary code in certain configurations.

It is reported that, if templated file names or templated output is used, a buffer overflow may be remotely triggered. The flaw is reported to be in the syslog-ng template macro expansion function, where a buffer length counter may fail to decrement when evaluating a constant character. According to the report, the specific number of bytes that exceed the allocated buffer depends on the exact template being used. If enough constant characters exist in the template string, the overflow may be exploitable.
Impact:   A remote user may be able to cause the daemon to crash or to execute arbitrary code.
Solution:   The vendor has released fixed versions (1.5.21 [devel] or 1.4.16 [stable]), available at:

http://www.balabit.hu/en/downloads/syslog-ng/downloads/

Also, a patch is available in the Source Message and at:

http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
Vendor URL:  www.balabit.hu/static/zsa/ZSA-2002-014-en.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 10 Oct 2002 14:44:00 +0200
Subject:  syslog-ng buffer overflow


----------------------------------------------------------------------------
PACKAGE           : syslog-ng
VERSION           : -1.4.15 (stable) and -1.5.20 (development)
SUMMARY           : buffer overflow
TYPE              : remote exploit
VULNERABLE:       : exploitable (not in default configuration)
ZORP-OS SPECIFIC  : No
ZSA-AUTHOR        : Balazs Scheidler <balazs.scheidler@balabit.com>
ZSA-ID            : ZSA-2002-014
DATE:             : 2002-10-03 15:00
----------------------------------------------------------------------------

BACKGROUND:

  Syslog-NG is a portable syslog implementation. Its highlights include 
  regexp based log selection, TCP transport and more.
  For more information: http://www.balabit.hu/en/downloads/syslog-ng/

  Zorp OS is a Debian GNU/Linux based operating system hardened for running 
  Zorp Professional modular application level firewall suite. Its core
  framework allows the administrator to finetune proxy decisions (with its
  built-in script language), and fully analyze complex protocols including
  SSL embedded protocols.
  For more information: http://www.balabit.hu/en/products/ZorpPro/

DESCRIPTION:

  To make it easier to specify message destinations, syslog-ng supports
  macros in destination filenames as the following log snippet shows:

  destination d_messages_by_host {
        file("/var/log/$HOST/messages");
  };

  The same syntax is used when specifying the contents of destination files:

  destination d_special_messages {
        file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));
  };

  The problem lies in the way macro expansion handles constant characters. 
  (ie everything other than macro references). As syslog-ng expands macros 
  it usesa buffer, and a variable called 'left', which contains the number of
  characters available in the buffer. When a constant character is appended,
  this variable is not decremented, thus when expanding macros incorrect
  bounds checking is performed.

IMPACT:

  If templated filenames or templated output is used, it is possible to
  overflow a buffer. The number of bytes exceeding the allocated buffer
  depends on the exact template being used.

  It is believed that this overflow can be exploited, given enough constant
  characters are present in the template string.

SOLUTION:

  Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
  following patch:

diff -u -r1.52 -r1.53
--- affile.c    21 Aug 2002 14:03:50 -0000      1.52
+++ affile.c    27 Sep 2002 09:11:33 -0000      1.53
@@ -859,7 +859,7 @@
                { "SOURCEIP", M_SOURCE_IP }
        };
        char format[cfg->log_msg_size + 1], *format_ptr = format;
-       int left = sizeof(format);
+       int left = sizeof(format) - 1;
        int i, j;

        i = 0;
@@ -888,6 +888,7 @@
                        *format_ptr = template->data[i];
                        format_ptr++;
                        i++;
+                       left--;
                }
        }
        *format_ptr = 0;

REFERENCES:
  
  1. http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt
  3. http://www.balabit.hu/en/downloads/syslog-ng/  
  3. http://www.balabit.hu/en/products/ZorpPro/


Höltzl Péter

BalaBit IT Kft          | Tel:   +36  1 371-0540 | GnuPG Fingerprint:
holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F
http://www.balabit.hu/  | Fax:   +36  1 208-0875 | 4586 CEAF 9678 4A89 CFD6


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC