Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Syslog-ng Vendors:   Scheidler, Balazs
Syslog-ng Buffer Overflow in Macro Expansion of Template Names May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1005404
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 10 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.15 (stable); 1.5.20 (development)
Description:   A buffer overflow vulnerability was reported in syslog-ng. A remote user may be able to cause the daemon to crash or to execute arbitrary code in certain configurations.

It is reported that, if templated file names or templated output is used, a buffer overflow may be remotely triggered. The flaw is reported to be in the syslog-ng template macro expansion function, where a buffer length counter may fail to decrement when evaluating a constant character. According to the report, the specific number of bytes that exceed the allocated buffer depends on the exact template being used. If enough constant characters exist in the template string, the overflow may be exploitable.

Impact:   A remote user may be able to cause the daemon to crash or to execute arbitrary code.
Solution:   The vendor has released fixed versions (1.5.21 [devel] or 1.4.16 [stable]), available at:

Also, a patch is available in the Source Message and at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  syslog-ng buffer overflow

PACKAGE           : syslog-ng
VERSION           : -1.4.15 (stable) and -1.5.20 (development)
SUMMARY           : buffer overflow
TYPE              : remote exploit
VULNERABLE:       : exploitable (not in default configuration)
ZSA-AUTHOR        : Balazs Scheidler <>
ZSA-ID            : ZSA-2002-014
DATE:             : 2002-10-03 15:00


  Syslog-NG is a portable syslog implementation. Its highlights include 
  regexp based log selection, TCP transport and more.
  For more information:

  Zorp OS is a Debian GNU/Linux based operating system hardened for running 
  Zorp Professional modular application level firewall suite. Its core
  framework allows the administrator to finetune proxy decisions (with its
  built-in script language), and fully analyze complex protocols including
  SSL embedded protocols.
  For more information:


  To make it easier to specify message destinations, syslog-ng supports
  macros in destination filenames as the following log snippet shows:

  destination d_messages_by_host {

  The same syntax is used when specifying the contents of destination files:

  destination d_special_messages {
        file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));

  The problem lies in the way macro expansion handles constant characters. 
  (ie everything other than macro references). As syslog-ng expands macros 
  it usesa buffer, and a variable called 'left', which contains the number of
  characters available in the buffer. When a constant character is appended,
  this variable is not decremented, thus when expanding macros incorrect
  bounds checking is performed.


  If templated filenames or templated output is used, it is possible to
  overflow a buffer. The number of bytes exceeding the allocated buffer
  depends on the exact template being used.

  It is believed that this overflow can be exploited, given enough constant
  characters are present in the template string.


  Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
  following patch:

diff -u -r1.52 -r1.53
--- affile.c    21 Aug 2002 14:03:50 -0000      1.52
+++ affile.c    27 Sep 2002 09:11:33 -0000      1.53
@@ -859,7 +859,7 @@
                { "SOURCEIP", M_SOURCE_IP }
        char format[cfg->log_msg_size + 1], *format_ptr = format;
-       int left = sizeof(format);
+       int left = sizeof(format) - 1;
        int i, j;

        i = 0;
@@ -888,6 +888,7 @@
                        *format_ptr = template->data[i];
+                       left--;
        *format_ptr = 0;


BalaBit IT Kft          | Tel:   +36  1 371-0540 | GnuPG Fingerprint: | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F  | Fax:   +36  1 208-0875 | 4586 CEAF 9678 4A89 CFD6


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC