From owner-freebsd-security Mon Aug 28 20:35:15 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id UAA09003 for security-outgoing; Mon, 28 Aug 1995 20:35:15 -0700 Received: from kryten.atinc.com (kryten.Atinc.COM [198.138.38.7]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id UAA08993 for ; Mon, 28 Aug 1995 20:35:11 -0700 Received: (jmb@localhost) by kryten.atinc.com (8.6.9/8.3) id XAA12601; Mon, 28 Aug 1995 23:29:56 -0400 Date: Mon, 28 Aug 1995 23:29:54 -0400 (EDT) From: "Jonathan M. Bresler" Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) To: security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk from a quick persual of the syslog.c that we have in -stable, i'd say that FreeBSD is vunerable to this attack. our syslog has fixed size buffers and uses sprintf to write to them. should be changed to snprintf--a quick persual says that should do the trick shades of rtm jmb Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. FreeBSD Postmaster jmb@FreeBSD.Org | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346 ---------- Forwarded message ---------- Date: Tue, 29 Aug 1995 02:33:37 +0100 (BST) From: [8LGM] Security Team <8lgm@8lgm.org> To: 8lgm-advisories@8lgm.org, bugtraq@crimelab.com, firewalls@greatcircle.com Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 VULNERABLE PROGRAMS: All programs calling syslog(3) with user supplied data, without checking argument lengths. KNOWN VULNERABLE PLATFORMS: SunOS 4.1.* KNOWN SECURE PLATFORMS: None at present. DESCRIPTION: syslog(3) uses an internal buffer to build messages. However it performs no bound checking, and relies on the caller to check arguments passed to it. IMPACT: Local and remote users can obtain root access. REPEAT BY: We have written an example exploit to overwrite syslog(3)'s internal buffer using SunOS sendmail(8). However due to the severity of this problem, this code will not be made available to anyone at this time. Please note that the exploit was fairly straightforward to put together, therefore expect exploits to be widely available soon after the release of this advisory. Here is a edited sample of using a modified telnet client to obtain a root shell through SunOS sendmail(8) on a sparc based machine. legless[8lgm]% syslog_telnet localhost smtp Trying 127.0.0.1 ... Connected to localhost. Escape character is '^]'. 220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\ 27 Aug 95 15:56:27 BST mail from: root 250 root... Sender ok rcpt to: root 250 root... Recipient ok data 354 Enter mail, end with "." on a line by itself ^] syslog_telnet> ### At this point, we provide some information to the modified ### telnet client about the remote host. Then sparc instructions ### are sent over the link within the body of the message to ### execute a shell. ### ### As soon as data is finished (with .), sendmail will eventually ### report, through syslog(3), data about this message. syslog's ### internal buffer will be overwritten, and our supplied ### instructions are executed. Hit , then . . /usr/bin/id; uid=0(root) gid=0(wheel) groups=0(wheel) /bin/sh: ^M: not found uptime; 3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00 /bin/sh: ^M: not found exit; Connection closed by foreign host. ### Here we can see that sendmail has execed a shell as root, ### and that we can type commands. (lines ending in ; are ### user input through the telnet client). ### ### This exploit could be further expanded upon to encapsulate ### instructions within the body of a message, which can then ### be mailed out to a site (ie without the necessity to connect ### directly to the smtp port). This may be used to bypass ### firewalls. WORKAROUNDS: We have two methods to ensure that syslog(3) can not be used in the above manner. Fix syslog(3), to perform bound checking. Shared libraries can be then fixed to use the new function. Statically linked programs will require rebuilding. Alternatively, ensure all calls to syslog(3), by all programs, check all arguments passed to syslog(3). Ideally both of the above should be implemented. FIX: Contact vendors for fixes. STATUS UPDATE: The file: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== -- ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** From owner-freebsd-security Tue Aug 29 00:49:51 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA16559 for security-outgoing; Tue, 29 Aug 1995 00:49:51 -0700 Received: (from pst@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA16552 for security; Tue, 29 Aug 1995 00:49:50 -0700 Date: Tue, 29 Aug 1995 00:49:50 -0700 From: Paul Traina Message-Id: <199508290749.AAA16552@freefall.FreeBSD.org> To: security Subject: please code review proposed fix for syslog problem Sender: security-owner@FreeBSD.org Precedence: bulk Index: lib/libc/gen/syslog.c =================================================================== RCS file: /home/ncvs/src/lib/libc/gen/syslog.c,v retrieving revision 1.2 diff -c -r1.2 syslog.c *** 1.2 1995/05/02 17:46:30 --- syslog.c 1995/08/29 07:49:14 *************** *** 101,106 **** --- 101,108 ---- char *stdp, tbuf[2048], fmt_cpy[1024]; #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID + #define SPACELEFT(X) (sizeof(tbuf) - ((X) - tbuf)) + /* Check for invalid bits. */ if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) { syslog(INTERNALLOG, *************** *** 120,136 **** /* Build the message. */ (void)time(&now); ! p = tbuf + sprintf(tbuf, "<%d>", pri); ! p += strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", ! localtime(&now)); if (LogStat & LOG_PERROR) stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) ! p += sprintf(p, "%s", LogTag); if (LogStat & LOG_PID) ! p += sprintf(p, "[%d]", getpid()); if (LogTag != NULL) { *p++ = ':'; *p++ = ' '; --- 122,137 ---- /* Build the message. */ (void)time(&now); ! p = tbuf + snprintf(tbuf, sizeof(tbuf), "<%d>", pri); ! p += strftime(p, SPACELEFT(p), "%h %e %T ", localtime(&now)); if (LogStat & LOG_PERROR) stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) ! p += snprintf(p, SPACELEFT(p), "%s", LogTag); if (LogStat & LOG_PID) ! p += snprintf(p, SPACELEFT(p), "[%d]", getpid()); if (LogTag != NULL) { *p++ = ':'; *p++ = ' '; *************** *** 140,151 **** for (t = fmt_cpy; ch = *fmt; ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; ! t += sprintf(t, "%s", strerror(saved_errno)); } else *t++ = ch; *t = '\0'; ! p += vsprintf(p, fmt_cpy, ap); cnt = p - tbuf; /* Output to stderr if requested. */ --- 141,153 ---- for (t = fmt_cpy; ch = *fmt; ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; ! t += snprintf(t, sizeof(fmt_cpy) - (t - fmt_cpy), "%s", ! strerror(saved_errno)); } else *t++ = ch; *t = '\0'; ! p += vsnprintf(p, SPACELEFT(p), fmt_cpy, ap); cnt = p - tbuf; /* Output to stderr if requested. */ From owner-freebsd-security Tue Aug 29 01:12:32 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id BAA17489 for security-outgoing; Tue, 29 Aug 1995 01:12:32 -0700 Received: from statler.csc.calpoly.edu (statler.csc.calpoly.edu [129.65.17.8]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id BAA17477 for ; Tue, 29 Aug 1995 01:12:26 -0700 Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id BAA28212 for security@freebsd.org; Tue, 29 Aug 1995 01:12:25 -0700 Received: from phoenix.csc.calpoly.edu (root@phoenix [129.65.17.14]) by statler.csc.calpoly.edu (8.6.12/N8) with ESMTP id TAA27896 for ; Mon, 28 Aug 1995 19:43:00 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by phoenix.csc.calpoly.edu (8.6.11/N8) with SMTP id TAA10416 for ; Mon, 28 Aug 1995 19:42:52 -0700 Received: from punt.demon.co.uk by disperse.demon.co.uk id ac15876; 29 Aug 95 3:03 +0100 Received: from bagpuss.demon.co.uk by punt.demon.co.uk id aa28339; 29 Aug 95 2:49 +0100 Received: (8lgm@localhost) by 8lgm.org (3.1/3.1) id CAA15517; Tue, 29 Aug 1995 02:33:37 +0100 From: "[8LGM] Security Team" <8lgm@8lgm.org> Message-Id: <199508290133.CAA15517@8lgm.org> Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 To: 8lgm-advisories@8lgm.org, bugtraq@crimelab.com, firewalls@greatcircle.com Date: Tue, 29 Aug 1995 02:33:37 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 4460 Sender: security-owner@FreeBSD.org Precedence: bulk ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 VULNERABLE PROGRAMS: All programs calling syslog(3) with user supplied data, without checking argument lengths. KNOWN VULNERABLE PLATFORMS: SunOS 4.1.* KNOWN SECURE PLATFORMS: None at present. DESCRIPTION: syslog(3) uses an internal buffer to build messages. However it performs no bound checking, and relies on the caller to check arguments passed to it. IMPACT: Local and remote users can obtain root access. REPEAT BY: We have written an example exploit to overwrite syslog(3)'s internal buffer using SunOS sendmail(8). However due to the severity of this problem, this code will not be made available to anyone at this time. Please note that the exploit was fairly straightforward to put together, therefore expect exploits to be widely available soon after the release of this advisory. Here is a edited sample of using a modified telnet client to obtain a root shell through SunOS sendmail(8) on a sparc based machine. legless[8lgm]% syslog_telnet localhost smtp Trying 127.0.0.1 ... Connected to localhost. Escape character is '^]'. 220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\ 27 Aug 95 15:56:27 BST mail from: root 250 root... Sender ok rcpt to: root 250 root... Recipient ok data 354 Enter mail, end with "." on a line by itself ^] syslog_telnet> ### At this point, we provide some information to the modified ### telnet client about the remote host. Then sparc instructions ### are sent over the link within the body of the message to ### execute a shell. ### ### As soon as data is finished (with .), sendmail will eventually ### report, through syslog(3), data about this message. syslog's ### internal buffer will be overwritten, and our supplied ### instructions are executed. Hit , then . . /usr/bin/id; uid=0(root) gid=0(wheel) groups=0(wheel) /bin/sh: ^M: not found uptime; 3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00 /bin/sh: ^M: not found exit; Connection closed by foreign host. ### Here we can see that sendmail has execed a shell as root, ### and that we can type commands. (lines ending in ; are ### user input through the telnet client). ### ### This exploit could be further expanded upon to encapsulate ### instructions within the body of a message, which can then ### be mailed out to a site (ie without the necessity to connect ### directly to the smtp port). This may be used to bypass ### firewalls. WORKAROUNDS: We have two methods to ensure that syslog(3) can not be used in the above manner. Fix syslog(3), to perform bound checking. Shared libraries can be then fixed to use the new function. Statically linked programs will require rebuilding. Alternatively, ensure all calls to syslog(3), by all programs, check all arguments passed to syslog(3). Ideally both of the above should be implemented. FIX: Contact vendors for fixes. STATUS UPDATE: The file: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== -- ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** From owner-freebsd-security Tue Aug 29 01:44:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id BAA18525 for security-outgoing; Tue, 29 Aug 1995 01:44:33 -0700 Received: from relay.philips.nl (relay.philips.nl [130.144.65.1]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id BAA18518 ; Tue, 29 Aug 1995 01:44:29 -0700 Received: from cnps.lss.cp.philips.com ([130.144.198.1]) by relay.philips.nl (8.6.9/8.6.9-950414) with SMTP id KAA18005; Tue, 29 Aug 1995 10:43:56 +0200 Received: from spooky.lss.cp.philips.com by cnps.lss.cp.philips.com with smtp (Smail3.1.28.1 #1) id m0snNCG-0001jOC; Tue, 29 Aug 95 10:43 MET Received: by spooky.lss.cp.philips.com (Smail3.1.29.1 #1) id m0snMGm-000HngC; Tue, 29 Aug 95 10:43 MET DST Message-Id: From: guido@spooky.lss.cp.philips.com (Guido van Rooij) Subject: Re: please code review proposed fix for syslog problem To: pst@freefall.FreeBSD.org (Paul Traina) Date: Tue, 29 Aug 1995 10:43:44 +0200 (MET DST) Cc: security@freefall.FreeBSD.org In-Reply-To: <199508290749.AAA16552@freefall.FreeBSD.org> from "Paul Traina" at Aug 29, 95 00:49:50 am Reply-To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2248 Sender: security-owner@FreeBSD.org Precedence: bulk I think the general idea is well. A few chenages have been added. Marked all with XXX One question: what if SPACELEFT(X) is smaller then zero? snprintf assumes size_t which is unsigned....Should this be guarded against? (I always mix up signed unsigned operations and am to lazy to look it up right now) -Guido > *************** > *** 120,136 **** > > /* Build the message. */ > (void)time(&now); > ! p = tbuf + sprintf(tbuf, "<%d>", pri); > ! p += strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", > ! localtime(&now)); > if (LogStat & LOG_PERROR) > stdp = p; > if (LogTag == NULL) > LogTag = __progname; > if (LogTag != NULL) > ! p += sprintf(p, "%s", LogTag); > if (LogStat & LOG_PID) > ! p += sprintf(p, "[%d]", getpid()); > if (LogTag != NULL) { > *p++ = ':'; > *p++ = ' '; > --- 122,137 ---- > > /* Build the message. */ > (void)time(&now); > ! p = tbuf + snprintf(tbuf, sizeof(tbuf), "<%d>", pri); > ! p += strftime(p, SPACELEFT(p), "%h %e %T ", localtime(&now)); > if (LogStat & LOG_PERROR) > stdp = p; > if (LogTag == NULL) > LogTag = __progname; > if (LogTag != NULL) > ! p += snprintf(p, SPACELEFT(p), "%s", LogTag); > if (LogStat & LOG_PID) > ! p += snprintf(p, SPACELEFT(p), "[%d]", getpid()); > if (LogTag != NULL) { > *p++ = ':'; > *p++ = ' '; ^^^ can overwrite outside of the buffer as well.XXX > *************** > *** 140,151 **** > for (t = fmt_cpy; ch = *fmt; ++fmt) > if (ch == '%' && fmt[1] == 'm') { > ++fmt; > ! t += sprintf(t, "%s", strerror(saved_errno)); > } else > *t++ = ch; > *t = '\0'; > > ! p += vsprintf(p, fmt_cpy, ap); > cnt = p - tbuf; > > /* Output to stderr if requested. */ > --- 141,153 ---- > for (t = fmt_cpy; ch = *fmt; ++fmt) > if (ch == '%' && fmt[1] == 'm') { > ++fmt; > ! t += snprintf(t, sizeof(fmt_cpy) - (t - fmt_cpy), "%s", > ! strerror(saved_errno)); > } else > *t++ = ch; ^^^^^^^^^ can write outside fmt_copy as wellXXX > *t = '\0'; ^^^^^^^^^ can write outside fmt_copy as wellXXX > > ! p += vsnprintf(p, SPACELEFT(p), fmt_cpy, ap); > cnt = p - tbuf; > > /* Output to stderr if requested. */ > From owner-freebsd-security Tue Aug 29 11:14:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id LAA17927 for security-outgoing; Tue, 29 Aug 1995 11:14:37 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id LAA17918 for ; Tue, 29 Aug 1995 11:14:33 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id EAA28657; Wed, 30 Aug 1995 04:11:41 +1000 Date: Wed, 30 Aug 1995 04:11:41 +1000 From: Bruce Evans Message-Id: <199508291811.EAA28657@godzilla.zeta.org.au> To: jmb@kryten.Atinc.COM, security@freebsd.org Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) Sender: security-owner@freebsd.org Precedence: bulk >from a quick persual of the syslog.c that we have in -stable, i'd say >that FreeBSD is vunerable to this attack. our syslog has fixed size >buffers and uses sprintf to write to them. should be changed to >snprintf--a quick persual says that should do the trick >shades of rtm Anyone for execute-protected data by default if the machine can support it? Programs that want to execute data should have to request it and everything else would be more secure. Bruce From owner-freebsd-security Tue Aug 29 13:02:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id NAA22273 for security-outgoing; Tue, 29 Aug 1995 13:02:45 -0700 Received: from ns1.win.net (ns1.win.net [204.215.209.3]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id NAA22266 for ; Tue, 29 Aug 1995 13:02:41 -0700 Received: (from bugs@localhost) by ns1.win.net (8.6.11/8.6.9) id QAA01140 for security@freebsd.org; Tue, 29 Aug 1995 16:07:57 -0400 From: Mark Hittinger Message-Id: <199508292007.QAA01140@ns1.win.net> Subject: libc seeking/finding To: security@freebsd.org Date: Tue, 29 Aug 1995 16:07:56 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 378 Sender: security-owner@freebsd.org Precedence: bulk I'm rebuilding a number of images due to the recent libc change. I can locate all the staticly linked images and take care of them. I just realized that I might have a lot of dynamically linked images that are using the older libc.so.* modules. Does anybody know of a slick way to hunt down the images that are using the older libc's? Regards, Mark Hittinger bugs@win.net From owner-freebsd-security Tue Aug 29 14:24:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id OAA24722 for security-outgoing; Tue, 29 Aug 1995 14:24:36 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id OAA24716 ; Tue, 29 Aug 1995 14:24:25 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id HAA01499; Wed, 30 Aug 1995 07:21:24 +1000 Date: Wed, 30 Aug 1995 07:21:24 +1000 From: Bruce Evans Message-Id: <199508292121.HAA01499@godzilla.zeta.org.au> To: guido@spooky.lss.cp.philips.com, pst@freefall.FreeBSD.org Subject: Re: please code review proposed fix for syslog problem Cc: security@freefall.FreeBSD.org Sender: security-owner@FreeBSD.org Precedence: bulk >One question: what if SPACELEFT(X) is smaller then zero? >snprintf assumes size_t which is unsigned....Should this be guarded >against? (I always mix up signed unsigned operations and am >to lazy to look it up right now) Yes, it should. However, all of the SPACELEFT()s except the one in the loop for copying the format are guaranteed to be large and positive unless LogTag is unreasonably long. The problems only start occurring when user-supplied data is handled. >> if (LogTag != NULL) { >> *p++ = ':'; >> *p++ = ' '; > ^^^ can overwrite outside of the buffer as well.XXX Not a big problem, because the user data hasn't been handled yet. >> for (t = fmt_cpy; ch = *fmt; ++fmt) >> if (ch == '%' && fmt[1] == 'm') { >> ++fmt; >> ! t += snprintf(t, sizeof(fmt_cpy) - (t - fmt_cpy), "%s", >> ! strerror(saved_errno)); Another bug: snprintf() returns the number of chars that would be printed if the fitted, so t may end up after the end of the array. This causes pedantically undefined behaviour. In practice, (t - fmt_copy) will probably be > sizeof(fmt_cpy), so the space will be "negative" (actually about SIZE_T_MAX). Robust library code sure is hard to write. I prefer kernel code :-). Bruce From owner-freebsd-security Tue Aug 29 16:29:47 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id QAA28699 for security-outgoing; Tue, 29 Aug 1995 16:29:47 -0700 Received: from kryten.atinc.com (kryten.Atinc.COM [198.138.38.7]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id QAA28692 for ; Tue, 29 Aug 1995 16:29:39 -0700 Received: (jmb@localhost) by kryten.atinc.com (8.6.9/8.3) id TAA16254; Tue, 29 Aug 1995 19:23:37 -0400 Date: Tue, 29 Aug 1995 19:23:36 -0400 (EDT) From: "Jonathan M. Bresler" Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) To: Bruce Evans cc: security@freebsd.org In-Reply-To: <199508291811.EAA28657@godzilla.zeta.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Wed, 30 Aug 1995, Bruce Evans wrote: > >from a quick persual of the syslog.c that we have in -stable, i'd say > >that FreeBSD is vunerable to this attack. our syslog has fixed size > >buffers and uses sprintf to write to them. should be changed to > >snprintf--a quick persual says that should do the trick > > >shades of rtm > > Anyone for execute-protected data by default if the machine can support > it? Programs that want to execute data should have to request it and > everything else would be more secure. the segment descriptors support the text (code) vs data identification. this would be a big win regarding security (and writing to wild pointers that hit your own code segment ;) we should still examine all the system libraries for similar problems (buffer overrun). this was the exact same problem that rtm used to compromise fingerd, it used gets(), syslog() used sprintf(). > > Bruce > Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. FreeBSD Postmaster jmb@FreeBSD.Org | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346 From owner-freebsd-security Tue Aug 29 17:00:03 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id RAA29461 for security-outgoing; Tue, 29 Aug 1995 17:00:03 -0700 Received: from ns1.win.net (ns1.win.net [204.215.209.3]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id QAA29455 for ; Tue, 29 Aug 1995 16:59:56 -0700 Received: (from bugs@localhost) by ns1.win.net (8.6.11/8.6.9) id UAA28922 for security@freebsd.org; Tue, 29 Aug 1995 20:05:12 -0400 From: Mark Hittinger Message-Id: <199508300005.UAA28922@ns1.win.net> Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) To: security@freebsd.org Date: Tue, 29 Aug 1995 20:05:12 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 725 Sender: security-owner@freebsd.org Precedence: bulk > > >shades of rtm > > Anyone for execute-protected data by default if the machine can support > > it? Programs that want to execute data should have to request it and > > everything else would be more secure. > the segment descriptors support the text (code) vs data > identification. this would be a big win regarding security (and writing > to wild pointers that hit your own code segment ;) YES! > we should still examine all the system libraries for similar > problems (buffer overrun). this was the exact same problem that rtm used > to compromise fingerd, it used gets(), syslog() used sprintf(). > The RPC stuff seems to use this also. "strcpy" is also a bad boy. Regards, Mark Hittinger bugs@win.net From owner-freebsd-security Tue Aug 29 17:55:00 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id RAA01206 for security-outgoing; Tue, 29 Aug 1995 17:55:00 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id RAA01192 for ; Tue, 29 Aug 1995 17:54:31 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id KAA09866; Wed, 30 Aug 1995 10:47:12 +1000 Date: Wed, 30 Aug 1995 10:47:12 +1000 From: Bruce Evans Message-Id: <199508300047.KAA09866@godzilla.zeta.org.au> To: bde@zeta.org.au, jmb@kryten.Atinc.COM Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) Cc: security@freebsd.org Sender: security-owner@freebsd.org Precedence: bulk >> Anyone for execute-protected data by default if the machine can support >> it? Programs that want to execute data should have to request it and >> everything else would be more secure. > the segment descriptors support the text (code) vs data >identification. this would be a big win regarding security (and writing >to wild pointers that hit your own code segment ;) Segment descriptors don't help for the second point because the code and data segments have the same base (virtual address 0). However, text pages should be write protected at the page level. The code segment doesn't need to overlap the data segment but it's more convenient when it does and I don't think gnu ld supports separate I&D. Bruce From owner-freebsd-security Tue Aug 29 19:07:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id TAA03526 for security-outgoing; Tue, 29 Aug 1995 19:07:08 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id TAA03514 for ; Tue, 29 Aug 1995 19:06:50 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id TAA05481; Tue, 29 Aug 1995 19:05:33 -0700 From: "Rodney W. Grimes" Message-Id: <199508300205.TAA05481@gndrsh.aac.dev.com> Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) To: bde@zeta.org.au (Bruce Evans) Date: Tue, 29 Aug 1995 19:05:33 -0700 (PDT) Cc: jmb@kryten.atinc.com, security@freebsd.org In-Reply-To: <199508291811.EAA28657@godzilla.zeta.org.au> from "Bruce Evans" at Aug 30, 95 04:11:41 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 741 Sender: security-owner@freebsd.org Precedence: bulk > > >from a quick persual of the syslog.c that we have in -stable, i'd say > >that FreeBSD is vunerable to this attack. our syslog has fixed size > >buffers and uses sprintf to write to them. should be changed to > >snprintf--a quick persual says that should do the trick > > >shades of rtm > > Anyone for execute-protected data by default if the machine can support > it? Programs that want to execute data should have to request it and > everything else would be more secure. Yes, good idea, wonder how many programs are going to sigbus on us after you implement this :-). -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Aug 30 00:42:55 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA16296 for security-outgoing; Wed, 30 Aug 1995 00:42:55 -0700 Received: from critter.tfs.com ([140.145.230.252]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id AAA16278 for ; Wed, 30 Aug 1995 00:42:33 -0700 Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id AAA00551; Wed, 30 Aug 1995 00:40:05 -0700 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: "Jonathan M. Bresler" cc: Bruce Evans , security@freebsd.org Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) In-reply-to: Your message of "Tue, 29 Aug 1995 19:23:36 EDT." Date: Wed, 30 Aug 1995 00:40:04 -0700 Message-ID: <549.809768404@critter.tfs.com> From: Poul-Henning Kamp Sender: security-owner@freebsd.org Precedence: bulk > On Wed, 30 Aug 1995, Bruce Evans wrote: > > > >from a quick persual of the syslog.c that we have in -stable, i'd say > > >that FreeBSD is vunerable to this attack. our syslog has fixed size > > >buffers and uses sprintf to write to them. should be changed to > > >snprintf--a quick persual says that should do the trick > > > > >shades of rtm > > > > Anyone for execute-protected data by default if the machine can support > > it? Programs that want to execute data should have to request it and > > everything else would be more secure. > > the segment descriptors support the text (code) vs data > identification. this would be a big win regarding security (and writing > to wild pointers that hit your own code segment ;) Why didn't we think of that before ? I don't think I have ever seen a program execute anything in the datasegment, so we should have little trouble with this... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ? From owner-freebsd-security Wed Aug 30 01:59:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id BAA19633 for security-outgoing; Wed, 30 Aug 1995 01:59:01 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id BAA19627 for ; Wed, 30 Aug 1995 01:58:58 -0700 Received: from corbin.Root.COM (corbin [198.145.90.34]) by Root.COM (8.6.12/8.6.5) with ESMTP id BAA20197; Wed, 30 Aug 1995 01:57:54 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.11/8.6.5) with SMTP id BAA04030; Wed, 30 Aug 1995 01:59:49 -0700 Message-Id: <199508300859.BAA04030@corbin.Root.COM> To: Poul-Henning Kamp cc: "Jonathan M. Bresler" , Bruce Evans , security@freebsd.org Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) In-reply-to: Your message of "Wed, 30 Aug 95 00:40:04 PDT." <549.809768404@critter.tfs.com> From: David Greenman Reply-To: davidg@Root.COM Date: Wed, 30 Aug 1995 01:59:25 -0700 Sender: security-owner@freebsd.org Precedence: bulk >> the segment descriptors support the text (code) vs data >> identification. this would be a big win regarding security (and writing >> to wild pointers that hit your own code segment ;) > >Why didn't we think of that before ? > >I don't think I have ever seen a program execute anything in the datasegment, >so we should have little trouble with this... Umm, and how are you going to deal with shared libraries or other mapped files that you wish to execute? The best you could hope for would be to limit the code segment to below the stack (to prevent execution of stuff on the stack), but I don't think this would affect the recent syslog problem - wasn't the stack buffer allocated from the data segment? -DG From owner-freebsd-security Wed Aug 30 02:50:24 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id CAA22478 for security-outgoing; Wed, 30 Aug 1995 02:50:24 -0700 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id CAA22397 for ; Wed, 30 Aug 1995 02:49:40 -0700 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.12/8.6.9) with SMTP id CAA02789 for ; Wed, 30 Aug 1995 02:48:37 -0700 Prev-Resent: Wed, 30 Aug 1995 02:48:36 -0700 Prev-Resent: "security@freebsd.org " Received: from freefall.FreeBSD.org (freefall.cdrom.com [192.216.222.4]) by time.cdrom.com (8.6.12/8.6.9) with ESMTP id XAA01907 for ; Tue, 29 Aug 1995 23:52:24 -0700 Received: from localhost (daemon@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id XAA13782 ; Tue, 29 Aug 1995 23:48:05 -0700 Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id XAA13760 for hackers-outgoing; Tue, 29 Aug 1995 23:48:00 -0700 Received: from ref.tfs.com (ref.tfs.com [140.145.254.251]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id XAA13746 for ; Tue, 29 Aug 1995 23:47:23 -0700 Received: (from julian@localhost) by ref.tfs.com (8.6.11/8.6.9) id XAA18624 for hackers@freebsd.org; Tue, 29 Aug 1995 23:46:24 -0700 Received: from sun-lamp.pc.cs.cmu.edu (SUN-LAMP.PC.CS.CMU.EDU [128.2.194.45]) by ref.tfs.com (8.6.11/8.6.9) with ESMTP id PAA17758 for ; Tue, 29 Aug 1995 15:28:07 -0700 Received: from pain.lcs.mit.edu (pain.lcs.mit.edu [128.52.46.239]) by sun-lamp.pc.cs.cmu.edu (8.6.11/8.6.10) with ESMTP id SAA03162; Tue, 29 Aug 1995 18:28:10 -0400 Received: (from daemon@localhost) by pain.lcs.mit.edu (8.6.9/8.6.9) id OAA06207; Tue, 29 Aug 1995 14:30:55 -0400 Received: from apple.com by pain.lcs.mit.edu (8.6.9/8.6.9) with SMTP id OAA06152 for ; Tue, 29 Aug 1995 14:14:29 -0400 Received: by apple.com with SMTP (5.61/8-Oct-1993-eef) id AA15657; Tue, 29 Aug 95 11:14:18 -0700 for netbsd-bugs@netbsd.org From: "Erik E. Fair" (Internet Architect) Subject: SECURITY ALERT: syslog(3) To: staff@apple.com, cog@taurus.apple.com Cc: netbsd-bugs@NetBSD.ORG Date: Tue, 29 Aug 95 11:13:50 -0700 Message-Id: <15616.809720030@apple.com> X-Loop: netbsd-bugs@NetBSD.ORG Resent-To: security@freebsd.org Resent-Date: Wed, 30 Aug 1995 02:48:36 -0700 Resent-Message-ID: <2787.809776116@time.cdrom.com> Resent-From: "Jordan K. Hubbard" Sender: security-owner@freebsd.org Precedence: bulk ------- Forwarded Message Return-Path: sendmail-beta-request@mastodon.CS.Berkeley.EDU Received: from mastodon.CS.Berkeley.EDU by apple.com with SMTP (5.61/8-Oct-1993-eef) id AA26928; Tue, 29 Aug 95 08:57:57 -0700 for fair Received: from mastodon.CS.Berkeley.EDU (localhost.Berkeley.EDU [127.0.0.1]) by mastodon.CS.Berkeley.EDU (8.6.11/8.6.9) with ESMTP id IAA18524; Tue, 29 Aug 1995 08:33:02 -0700 Message-Id: <199508291533.IAA18524@mastodon.CS.Berkeley.EDU> To: sendmail-vendors@mastodon.CS.Berkeley.EDU, sendmail-beta@mastodon.CS.Berkeley.EDU From: Eric Allman Cc: Edward DeHart Subject: SECURITY ALERT: syslog(3) Date: Tue, 29 Aug 1995 08:33:00 -0700 Sender: eric@mastodon.CS.Berkeley.EDU This problem is arguably incidental to sendmail, but it is clear that sendmail is one vector for the attack. Enclosed is the 8lgm announcement and an updated version of syslog(3) (based on the 4.4bsd version -- YMMV) that tries to get around the problem. Note that it does a better job if you have vsnprintf available. This has not been extensively tested, and I know that it is a bit rough; in particular, it doesn't compile on systems that have changed the return value of syslog from void to int (e.g., OSF/1). The changes should be pretty obvious there. I have tried to make it possible for it to work with the vendor file, but I'm including that anyhow just in case you want to take the whole thing. Please let me know if you encounter any problems or make any enhancements. I'll probably post something more publically in a day or two. eric - ------- Forwarded Message Date: Tue, 29 Aug 1995 03:18:01 GMT From: "[8lgm] Security Team" <8lgm@8lgm.org> Reply-To: "[8lgm] Security Team" <8lgm@8lgm.org> To: "comp.mail.sendmail mail newsgroup" Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 VULNERABLE PROGRAMS: All programs calling syslog(3) with user supplied data, without checking argument lengths. KNOWN VULNERABLE PLATFORMS: SunOS 4.1.* KNOWN SECURE PLATFORMS: None at present. DESCRIPTION: syslog(3) uses an internal buffer to build messages. However it performs no bound checking, and relies on the caller to check arguments passed to it. IMPACT: Local and remote users can obtain root access. REPEAT BY: We have written an example exploit to overwrite syslog(3)'s internal buffer using SunOS sendmail(8). However due to the severity of this problem, this code will not be made available to anyone at this time. Please note that the exploit was fairly straightforward to put together, therefore expect exploits to be widely available soon after the release of this advisory. Here is a edited sample of using a modified telnet client to obtain a root shell through SunOS sendmail(8) on a sparc based machine. legless[8lgm]% syslog_telnet localhost smtp Trying 127.0.0.1 ... Connected to localhost. Escape character is '^]'. 220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\ 27 Aug 95 15:56:27 BST mail from: root 250 root... Sender ok rcpt to: root 250 root... Recipient ok data 354 Enter mail, end with "." on a line by itself ^] syslog_telnet> ### At this point, we provide some information to the modified ### telnet client about the remote host. Then sparc instructions ### are sent over the link within the body of the message to ### execute a shell. ### ### As soon as data is finished (with .), sendmail will eventually ### report, through syslog(3), data about this message. syslog's ### internal buffer will be overwritten, and our supplied ### instructions are executed. Hit , then . . /usr/bin/id; uid=0(root) gid=0(wheel) groups=0(wheel) /bin/sh: ^M: not found uptime; 3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00 /bin/sh: ^M: not found exit; Connection closed by foreign host. ### Here we can see that sendmail has execed a shell as root, ### and that we can type commands. (lines ending in ; are ### user input through the telnet client). ### ### This exploit could be further expanded upon to encapsulate ### instructions within the body of a message, which can then ### be mailed out to a site (ie without the necessity to connect ### directly to the smtp port). This may be used to bypass ### firewalls. WORKAROUNDS: We have two methods to ensure that syslog(3) can not be used in the above manner. Fix syslog(3), to perform bound checking. Shared libraries can be then fixed to use the new function. Statically linked programs will require rebuilding. Alternatively, ensure all calls to syslog(3), by all programs, check all arguments passed to syslog(3). Ideally both of the above should be implemented. FIX: Contact vendors for fixes. STATUS UPDATE: The file: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. - - ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== - - -- - - ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** - ------- End of Forwarded Message - ------- syslog.h /* * Copyright (c) 1982, 1986, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)syslog.h 8.1 (Berkeley) 6/2/93 */ #define _PATH_LOG "/dev/log" /* * priorities/facilities are encoded into a single 32-bit quantity, where the * bottom 3 bits are the priority (0-7) and the top 28 bits are the facility * (0-big number). Both the priorities and the facilities map roughly * one-to-one to strings in the syslogd(8) source code. This mapping is * included in this file. * * priorities (these are ordered) */ #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ #define LOG_PRIMASK 0x07 /* mask to extract priority part (internal) */ /* extract priority */ #define LOG_PRI(p) ((p) & LOG_PRIMASK) #define LOG_MAKEPRI(fac, pri) (((fac) << 3) | (pri)) #ifdef SYSLOG_NAMES #define INTERNAL_NOPRI 0x10 /* the "no priority" priority */ /* mark "facility" */ #define INTERNAL_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) typedef struct _code { char *c_name; int c_val; } CODE; CODE prioritynames[] = { "alert", LOG_ALERT, "crit", LOG_CRIT, "debug", LOG_DEBUG, "emerg", LOG_EMERG, "err", LOG_ERR, "error", LOG_ERR, /* DEPRECATED */ "info", LOG_INFO, "none", INTERNAL_NOPRI, /* INTERNAL */ "notice", LOG_NOTICE, "panic", LOG_EMERG, /* DEPRECATED */ "warn", LOG_WARNING, /* DEPRECATED */ "warning", LOG_WARNING, NULL, -1, }; #endif /* facility codes */ #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */ #define LOG_NFACILITIES 24 /* current number of facilities */ #define LOG_FACMASK 0x03f8 /* mask to extract facility part */ /* facility of pri */ #define LOG_FAC(p) (((p) & LOG_FACMASK) >> 3) #ifdef SYSLOG_NAMES CODE facilitynames[] = { "auth", LOG_AUTH, "authpriv", LOG_AUTHPRIV, "cron", LOG_CRON, "daemon", LOG_DAEMON, "ftp", LOG_FTP, "kern", LOG_KERN, "lpr", LOG_LPR, "mail", LOG_MAIL, "mark", INTERNAL_MARK, /* INTERNAL */ "news", LOG_NEWS, "security", LOG_AUTH, /* DEPRECATED */ "syslog", LOG_SYSLOG, "user", LOG_USER, "uucp", LOG_UUCP, "local0", LOG_LOCAL0, "local1", LOG_LOCAL1, "local2", LOG_LOCAL2, "local3", LOG_LOCAL3, "local4", LOG_LOCAL4, "local5", LOG_LOCAL5, "local6", LOG_LOCAL6, "local7", LOG_LOCAL7, NULL, -1, }; #endif #ifdef KERNEL #define LOG_PRINTF -1 /* pseudo-priority to indicate use of printf */ #endif /* * arguments to setlogmask. */ #define LOG_MASK(pri) (1 << (pri)) /* mask for one priority */ #define LOG_UPTO(pri) ((1 << ((pri)+1)) - 1) /* all priorities through pri */ /* * Option flags for openlog. * * LOG_ODELAY no longer does anything. * LOG_NDELAY is the inverse of what it used to be. */ #define LOG_PID 0x01 /* log the pid with each message */ #define LOG_CONS 0x02 /* log on the console if errors in sending */ #define LOG_ODELAY 0x04 /* delay open until first syslog() (default) */ #define LOG_NDELAY 0x08 /* don't delay open */ #define LOG_NOWAIT 0x10 /* don't wait for console forks: DEPRECATED */ #define LOG_PERROR 0x20 /* log to stderr as well */ #ifndef KERNEL /* * Don't use va_list in the vsyslog() prototype. Va_list is typedef'd in two * places ( and ), so if we include one * of them here we may collide with the utility's includes. It's unreasonable * for utilities to have to include one of them to include syslog.h, so we get * _BSD_VA_LIST_ from and use it. */ #include #include __BEGIN_DECLS void closelog __P((void)); void openlog __P((const char *, int, int)); int setlogmask __P((int)); void syslog __P((int, const char *, ...)); void vsyslog __P((int, const char *, _BSD_VA_LIST_)); __END_DECLS #endif /* !KERNEL */ - ------- syslog.c /* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)syslog.c 8.7 (Berkeley) 8/29/95"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #ifdef BSD4_4 # include #else # ifndef _PATH_CONSOLE # define _PATH_CONSOLE "/dev/console" # endif # ifndef _PATH_LOG # define _PATH_LOG "/dev/log" # endif #endif #if __STDC__ # include #else # include # define const /* */ #endif #ifndef USESNPRINTF # if defined(BSD4_4) # define USESNPRINTF 1 /* has snprintf(3), vsnprintf(3), etc. */ # else # define USESNPRINTF 0 /* cheesy old C library */ # endif #endif #ifndef LOG_PERROR # define LOG_PERROR 0 #endif #define BUFSLOP 1024 /* overflow space */ static int LogFile = -1; /* fd for log */ static int connected; /* have done connect */ static int LogStat = 0; /* status bits, set by openlog() */ static const char *LogTag = NULL; /* string to tag the entry with */ static int LogFacility = LOG_USER; /* default facility code */ static int LogMask = 0xff; /* mask of priorities to be logged */ extern char *__progname; /* Program name, from crt0. */ /* * syslog, vsyslog -- * print message on log file; output is intended for syslogd(8). */ void #if __STDC__ syslog(int pri, const char *fmt, ...) #else syslog(pri, fmt, va_alist) int pri; char *fmt; va_dcl #endif { va_list ap; extern void vsyslog(); #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif vsyslog(pri, fmt, ap); va_end(ap); } void vsyslog(pri, fmt, ap) int pri; register const char *fmt; va_list ap; { register int cnt; register char ch, *p, *t; time_t now; int fd, saved_errno; int panic = 0; static int maxsend = BUFSIZ; char *stdp, fmt_cpy[1024], tbuf[BUFSIZ + BUFSLOP]; extern void openlog(); #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID /* Check for invalid bits. */ if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) { syslog(INTERNALLOG, "syslog: unknown facility/priority: %x", pri); pri &= LOG_PRIMASK|LOG_FACMASK; } /* Check priority against setlogmask values. */ if (!(LOG_MASK(LOG_PRI(pri)) & LogMask)) return; saved_errno = errno; /* Set default facility if none specified. */ if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; /* Get connected. */ if (!connected) openlog(LogTag, LogStat | LOG_NDELAY, 0); /* Build the message. */ (void)time(&now); sprintf(tbuf, "<%d>", pri); p = tbuf + strlen(tbuf); strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", localtime(&now)); p += strlen(p); stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) { sprintf(p, "%s", LogTag); p += strlen(p); } if (LogStat & LOG_PID) { sprintf(p, "[%d]", getpid()); p += strlen(p); } if (LogTag != NULL) { *p++ = ':'; *p++ = ' '; } /* Substitute error message for %m. */ for (t = fmt_cpy; ch = *fmt; ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; sprintf(t, "%s", strerror(saved_errno)); t += strlen(t); } else *t++ = ch; *t = '\0'; #if USESNPRINTF cnt = maxsend - (p - tbuf) + 1; p += vsnprintf(p, cnt, fmt_cpy, ap); cnt = p - tbuf; #else p += vsprintf(p, fmt_cpy, ap); cnt = p - tbuf; if (cnt > sizeof tbuf) { /* Panic condition. */ panic = 1; } if (cnt > maxsend) cnt = maxsend; #endif /* Output to stderr if requested. */ if (LogStat & LOG_PERROR) { struct iovec iov[2]; register struct iovec *v = iov; v->iov_base = stdp; v->iov_len = cnt - (stdp - tbuf); ++v; v->iov_base = "\n"; v->iov_len = 1; (void)writev(STDERR_FILENO, iov, 2); } /* Output the message to the local logger. */ for (;;) { if (send(LogFile, tbuf, cnt, 0) >= 0) goto done; if (errno != EMSGSIZE || maxsend <= 256) break; /* Message was too large -- back it off. */ do { maxsend -= 128; } while (cnt < maxsend && maxsend > 256); cnt = maxsend; } /* * Output the message to the console; don't worry about blocking, * if console blocks everything will. Make sure the error reported * is the one from the syslogd failure. */ if (LogStat & LOG_CONS && (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { (void)strcat(tbuf, "\r\n"); cnt += 2; p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt - (p - tbuf)); (void)close(fd); } done: #if !USESNPRINTF /* * If we had a buffer overrun, log a panic and abort. * We can't return because our stack is probably toast. */ if (panic) { syslog(LOG_EMERG, "SYSLOG BUFFER OVERRUN -- EXITING"); abort(); } #endif } static struct sockaddr SyslogAddr; /* AF_UNIX address of local logger */ void openlog(ident, logstat, logfac) const char *ident; int logstat, logfac; { if (ident != NULL) LogTag = ident; LogStat = logstat; if (logfac != 0 && (logfac &~ LOG_FACMASK) == 0) LogFacility = logfac; if (LogFile == -1) { SyslogAddr.sa_family = AF_UNIX; (void)strncpy(SyslogAddr.sa_data, _PATH_LOG, sizeof(SyslogAddr.sa_data)); if (LogStat & LOG_NDELAY) { if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) return; (void)fcntl(LogFile, F_SETFD, 1); } } if (LogFile != -1 && !connected) if (connect(LogFile, &SyslogAddr, sizeof(SyslogAddr)) == -1) { (void)close(LogFile); LogFile = -1; } else connected = 1; } void closelog() { (void)close(LogFile); LogFile = -1; connected = 0; } /* setlogmask -- set the log mask level */ int setlogmask(pmask) int pmask; { int omask; omask = LogMask; if (pmask != 0) LogMask = pmask; return (omask); } ------- End of Forwarded Message From owner-freebsd-security Wed Aug 30 03:05:27 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id DAA23736 for security-outgoing; Wed, 30 Aug 1995 03:05:27 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id DAA23721 for ; Wed, 30 Aug 1995 03:05:14 -0700 Received: from corbin.Root.COM (corbin [198.145.90.34]) by Root.COM (8.6.12/8.6.5) with ESMTP id DAA20329 for ; Wed, 30 Aug 1995 03:04:01 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.11/8.6.5) with SMTP id DAA04205 for ; Wed, 30 Aug 1995 03:05:55 -0700 Message-Id: <199508301005.DAA04205@corbin.Root.COM> To: security@freebsd.org Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) In-reply-to: Your message of "Wed, 30 Aug 95 01:59:25 PDT." <199508300859.BAA04030@corbin.Root.COM> From: David Greenman Reply-To: davidg@Root.COM Date: Wed, 30 Aug 1995 03:05:55 -0700 Sender: security-owner@freebsd.org Precedence: bulk >the code segment to below the stack (to prevent execution of stuff on the >stack), but I don't think this would affect the recent syslog problem - wasn't >the stack buffer allocated from the data segment? Doug corrected me...the buffer is on the stack. -DG From owner-freebsd-security Wed Aug 30 03:10:32 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id DAA23993 for security-outgoing; Wed, 30 Aug 1995 03:10:32 -0700 Received: from critter.tfs.com ([140.145.230.252]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id DAA23986 for ; Wed, 30 Aug 1995 03:10:27 -0700 Received: from localhost (localhost [127.0.0.1]) by critter.tfs.com (8.6.11/8.6.9) with SMTP id DAA01250; Wed, 30 Aug 1995 03:08:08 -0700 X-Authentication-Warning: critter.tfs.com: Host localhost didn't use HELO protocol To: davidg@Root.COM cc: "Jonathan M. Bresler" , Bruce Evans , security@freebsd.org Subject: Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) In-reply-to: Your message of "Wed, 30 Aug 1995 01:59:25 PDT." <199508300859.BAA04030@corbin.Root.COM> Date: Wed, 30 Aug 1995 03:08:07 -0700 Message-ID: <1248.809777287@critter.tfs.com> From: Poul-Henning Kamp Sender: security-owner@freebsd.org Precedence: bulk > >> the segment descriptors support the text (code) vs data > >> identification. this would be a big win regarding security (and writing > >> to wild pointers that hit your own code segment ;) > > > >Why didn't we think of that before ? > > > >I don't think I have ever seen a program execute anything in the datasegment , > >so we should have little trouble with this... > > Umm, and how are you going to deal with shared libraries or other mapped > files that you wish to execute? The best you could hope for would be to limit > the code segment to below the stack (to prevent execution of stuff on the > stack), but I don't think this would affect the recent syslog problem - wasn' t > the stack buffer allocated from the data segment? Most of the trouble is in the code of the programs. Most of the trouble happens with the stack. The shlib loader could be modified to classify the pages as RO, RW, RX. That would indeed cut out most of the trouble. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ? From owner-freebsd-security Wed Aug 30 13:06:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id NAA27493 for security-outgoing; Wed, 30 Aug 1995 13:06:04 -0700 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id NAA27481 for ; Wed, 30 Aug 1995 13:05:46 -0700 Received: from uucp3.UU.NET by relay3.UU.NET with SMTP id QQzfbk19811; Wed, 30 Aug 1995 16:05:16 -0400 Received: from uanet.UUCP by uucp3.UU.NET with UUCP/RMAIL ; Wed, 30 Aug 1995 16:05:32 -0400 Received: by crocodil.monolit.kiev.ua (8.6.8.1/8.5) id WAA09655 for security@freebsd.org; Wed, 30 Aug 1995 22:58:26 +0300 Date: Wed, 30 Aug 1995 22:58:26 +0300 From: System daemons Message-Id: <199508301958.WAA09655@crocodil.monolit.kiev.ua> Apparently-To: security@freebsd.org Sender: security-owner@freebsd.org Precedence: bulk David Greenman (davidg@Root.COM) wrote: > >> the segment descriptors support the text (code) vs data > >> identification. this would be a big win regarding security (and writing > >> to wild pointers that hit your own code segment ;) unfortunately, we haven't code and data pointers in current addressing model (umm, sounds like dos-ish/window-ish/PM-ish segments again... never mind.) > >I don't think I have ever seen a program execute anything in the datasegment, > >so we should have little trouble with this... Think of threaded code interpreters which create code on the fly, then execute it. I bet at least several Lisp, Scheme, ML, or Forth systems do it actually. > Umm, and how are you going to deal with shared libraries or other mapped > files that you wish to execute? The best you could hope for would be to limit > the code segment to below the stack (to prevent execution of stuff on the > stack), but I don't think this would affect the recent syslog problem - wasn't > the stack buffer allocated from the data segment? Do you know about `trampolines' which recent versions of gcc uses to call nested functions? The problem with this stuff is, when you have bar() defined _inside_ foo(), and want to pass &bar outside of foo(), (e.g. to qsort() which could call bar() by pointer), you want bar() to be able to access all local variables which foo() have at time of its recent invocation. Since the address of foo()'s stack frame isn't known at compile time, gcc solves this by creating a `trampoline', i.e. a small piece of code which loads some CPU register with (current) address of foo()'s locals, then invokes bar(). This small piece of code is created on the stack, and its address is passed to external functions as address of bar(). Neat, isn't it? But this also means that stack pages should be made executable. Dmitry (w/language implementation hat on ;-) ) From owner-freebsd-security Thu Aug 31 00:42:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA27271 for security-outgoing; Thu, 31 Aug 1995 00:42:33 -0700 Received: from clinet.fi (clinet.fi [193.64.6.1]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id AAA27265 for ; Thu, 31 Aug 1995 00:42:30 -0700 Received: from katiska.clinet.fi (root@katiska.clinet.fi [193.64.6.3]) by clinet.fi (8.6.10/8.6.4) with ESMTP id KAA26324; Thu, 31 Aug 1995 10:42:25 +0300 From: Heikki Suonsivu Received: (hsu@localhost) by katiska.clinet.fi (8.6.12/8.6.4) id KAA26949; Thu, 31 Aug 1995 10:42:25 +0300 Date: Thu, 31 Aug 1995 10:42:25 +0300 Message-Id: <199508310742.KAA26949@katiska.clinet.fi> To: "Jonathan M. Bresler" Cc: security@freebsd.org Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) In-Reply-To: References: Organization: Clinet Ltd, Espoo, Finland Sender: security-owner@freebsd.org Precedence: bulk Jonathan M. Bresler writes: > buffers and uses sprintf to write to them. should be changed to > snprintf--a quick persual says that should do the trick sprintf %s format takes maximum string length, like %.5s copies maximum of 5 characters. This could also be used. snprintf looses the end of the thing printed, while %.ns only looses bytes from the offending string. -- Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi home +358-0-8031121 work -4375209 fax -4555276 From owner-freebsd-security Thu Aug 31 08:28:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id IAA09994 for security-outgoing; Thu, 31 Aug 1995 08:28:36 -0700 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id IAA09988 for ; Thu, 31 Aug 1995 08:28:30 -0700 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.12/8.6.9) with SMTP id IAA10310 for ; Thu, 31 Aug 1995 08:17:54 -0700 Prev-Resent: Thu, 31 Aug 1995 08:17:54 -0700 Prev-Resent: "security@freebsd.org " Received: from freefall.FreeBSD.org (freefall.cdrom.com [192.216.222.4]) by time.cdrom.com (8.6.12/8.6.9) with ESMTP id IAA10285 for ; Thu, 31 Aug 1995 08:11:16 -0700 Received: from tyrell.net (tyrell.net [198.175.8.2]) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id IAA09746 for ; Thu, 31 Aug 1995 08:21:43 -0700 Received: from amgraf.UUCP by tyrell.net with UUCP id AA05527 (5.65c/IDA-1.4.4 for jkh@freefall.FreeBSD.org); Thu, 31 Aug 1995 10:16:58 -0500 Received: by amgraf.com id AA14200; Thu, 31 Aug 95 09:33:56 -0500 (CDT) From: huver@amgraf.com (Huver) Reply-To: huver@amgraf.com Message-Id: <9508311433.AA14200@amgraf.com> To: jkh@freefall.FreeBSD.org Subject: My goof-up to previous syslog.c changes Date: Thu, 31 Aug 95 09:33:56 CDT Resent-To: security@freebsd.org Resent-Date: Thu, 31 Aug 1995 08:17:54 -0700 Resent-Message-ID: <10308.809882274@time.cdrom.com> Resent-From: "Jordan K. Hubbard" Sender: security-owner@freebsd.org Precedence: bulk This is most embarassing... a couple of years ago we changed our snprintf() to always return number of bytes written, and have been using our version since. My previous changes to syslog() were based on that, and totally forgot the fact that stock snprintf() can return "number of bytes needed" which can exceed the buffer size. Thusly the attached syslog.c is needed to use stock functions. I apologize for my goofs. -huver huver@amgraf.com ========================================================================= /* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #if __STDC__ #include #else #include #endif static int LogFile = -1; /* fd for log */ static int connected; /* have done connect */ static int LogStat = 0; /* status bits, set by openlog() */ static const char *LogTag = NULL; /* string to tag the entry with */ static int LogFacility = LOG_USER; /* default facility code */ static int LogMask = 0xff; /* mask of priorities to be logged */ extern char *__progname; /* Program name, from crt0. */ /* * syslog, vsyslog -- * print message on log file; output is intended for syslogd(8). */ void #if __STDC__ syslog(int pri, const char *fmt, ...) #else syslog(pri, fmt, va_alist) int pri; char *fmt; va_dcl #endif { va_list ap; #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif vsyslog(pri, fmt, ap); va_end(ap); } void vsyslog(pri, fmt, ap) int pri; register const char *fmt; va_list ap; { register int cnt; register char ch, *p, *t; time_t now; int fd, saved_errno; char *stdp, tbuf[2048], fmt_cpy[1024]; int tbuf_size, fcpy_len; /* set up to simplify calc a bit later */ tbuf_size = sizeof(tbuf) - 1; #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID /* Check for invalid bits. */ if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) { syslog(INTERNALLOG, "syslog: unknown facility/priority: %x", pri); pri &= LOG_PRIMASK|LOG_FACMASK; } /* Check priority against setlogmask values. */ if (!(LOG_MASK(LOG_PRI(pri)) & LogMask)) return; saved_errno = errno; /* Set default facility if none specified. */ if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; /* Build the message. */ (void)time(&now); fd = sprintf(tbuf, "<%d>", pri); p = tbuf + fd; tbuf_size -= fd; fd = strftime(p, tbuf_size, "%h %e %T ", localtime(&now)); p += fd; tbuf_size -= fd; if (LogStat & LOG_PERROR) stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) { fd = snprintf(p, tbuf_size, "%s", LogTag); if (fd == EOF) tbuf_size = 0; else { if (fd > tbuf_size) fd = tbuf_size; p += fd; tbuf_size -= fd; } } if (LogStat & LOG_PID) { fd = snprintf(p, tbuf_size, "[%d]", getpid()); if (fd == EOF) tbuf_size = 0; else { if (fd > tbuf_size) fd = tbuf_size; p += fd; tbuf_size -= fd; } } if (LogTag != NULL && tbuf_size > 2) { *p++ = ':'; *p++ = ' '; } /* Substitute error message for %m. */ fcpy_len = sizeof(fmt_cpy); for (t = fmt_cpy; ch = *fmt; ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; fd = snprintf(t, fcpy_len, "%s", strerror(saved_errno)); if (fd != EOF && fd <= fcpy_len) { t += fd; fcpy_len -= fd; } } else if (fcpy_len > 1) { *t++ = ch; fcpy_len--; } *t = '\0'; fd = vsnprintf(p, tbuf_size, fmt_cpy, ap); if (fd != EOF && fd <= tbuf_size) p += fd; else *p = '\0'; cnt = p - tbuf; /* Output to stderr if requested. */ if (LogStat & LOG_PERROR) { struct iovec iov[2]; register struct iovec *v = iov; v->iov_base = stdp; v->iov_len = cnt - (stdp - tbuf); ++v; v->iov_base = "\n"; v->iov_len = 1; (void)writev(STDERR_FILENO, iov, 2); } /* Get connected, output the message to the local logger. */ if (!connected) openlog(LogTag, LogStat | LOG_NDELAY, 0); if (send(LogFile, tbuf, cnt, 0) >= 0) return; /* * Output the message to the console; don't worry about blocking, * if console blocks everything will. Make sure the error reported * is the one from the syslogd failure. */ if (LogStat & LOG_CONS && (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { p = index(tbuf, '>') + 1; (void)write(fd, p, cnt - (p - tbuf)); (void)write(fd, "\r\n", 2); (void)close(fd); } } static struct sockaddr SyslogAddr; /* AF_UNIX address of local logger */ void openlog(ident, logstat, logfac) const char *ident; int logstat, logfac; { if (ident != NULL) LogTag = ident; LogStat = logstat; if (logfac != 0 && (logfac &~ LOG_FACMASK) == 0) LogFacility = logfac; if (LogFile == -1) { SyslogAddr.sa_family = AF_UNIX; (void)strncpy(SyslogAddr.sa_data, _PATH_LOG, sizeof(SyslogAddr.sa_data)); if (LogStat & LOG_NDELAY) { if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) return; (void)fcntl(LogFile, F_SETFD, 1); } } if (LogFile != -1 && !connected) if (connect(LogFile, &SyslogAddr, sizeof(SyslogAddr)) == -1) { (void)close(LogFile); LogFile = -1; } else connected = 1; } void closelog() { (void)close(LogFile); LogFile = -1; connected = 0; } /* setlogmask -- set the log mask level */ int setlogmask(pmask) int pmask; { int omask; omask = LogMask; if (pmask != 0) LogMask = pmask; return (omask); } From owner-freebsd-security Thu Aug 31 12:58:22 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id MAA19353 for security-outgoing; Thu, 31 Aug 1995 12:58:22 -0700 Received: from haywire.DIALix.COM (haywire.DIALix.COM [192.203.228.65]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id MAA19343 for ; Thu, 31 Aug 1995 12:58:19 -0700 Received: (from news@localhost) by haywire.DIALix.COM (sendmail) id DAA10777 for freebsd-security@freebsd.org; Fri, 1 Sep 1995 03:58:14 +0800 (WST) Received: from GATEWAY by haywire.DIALix.COM with netnews for freebsd-security@freebsd.org (problems to: usenet@haywire.dialix.com) To: freebsd-security@freebsd.org Date: 1 Sep 1995 03:58:10 +0800 From: peter@haywire.dialix.com (Peter Wemm) Message-ID: <42548i$agm$1@haywire.DIALix.COM> Organization: DIALix Services, Perth, Australia. Subject: Eric Allman's syslog.c fixes Sender: security-owner@freebsd.org Precedence: bulk Eric Allman is running a new syslog.c through the mill at the moment. It'll be the one published in the RSN CERT advisory I presume. It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and the only holdup is portability to other OS's. I keep a pretty close eye on this area, as it's sendmail related. Is it worth bringing in the currently 'endorsed' version, and updating it to the CERT version if there are any changes later? -Peter From owner-freebsd-security Thu Aug 31 13:50:02 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id NAA22123 for security-outgoing; Thu, 31 Aug 1995 13:50:02 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id NAA22097 for ; Thu, 31 Aug 1995 13:49:56 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id GAA08688; Fri, 1 Sep 1995 06:47:28 +1000 Date: Fri, 1 Sep 1995 06:47:28 +1000 From: Bruce Evans Message-Id: <199508312047.GAA08688@godzilla.zeta.org.au> To: freebsd-security@freebsd.org, peter@haywire.dialix.com Subject: Re: Eric Allman's syslog.c fixes Sender: security-owner@freebsd.org Precedence: bulk >Eric Allman is running a new syslog.c through the mill at the >moment. It'll be the one published in the RSN CERT advisory I presume. >It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and >the only holdup is portability to other OS's. The one posted here didn't check the format conversion. pst's version was more complete. Someone suggested using %.*s instead of snprintf. That works well for the format conversion. Bruce From owner-freebsd-security Thu Aug 31 14:21:41 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id OAA25025 for security-outgoing; Thu, 31 Aug 1995 14:21:41 -0700 Received: from haywire.DIALix.COM (haywire.DIALix.COM [192.203.228.65]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id OAA25013 for ; Thu, 31 Aug 1995 14:21:30 -0700 Received: (from peter@localhost) by haywire.DIALix.COM (sendmail) id FAA14453; Fri, 1 Sep 1995 05:21:12 +0800 (WST) Date: Fri, 1 Sep 1995 05:21:11 +0800 (WST) From: Peter Wemm To: Bruce Evans cc: freebsd-security@freebsd.org Subject: Re: Eric Allman's syslog.c fixes In-Reply-To: <199508312047.GAA08688@godzilla.zeta.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Fri, 1 Sep 1995, Bruce Evans wrote: > > >Eric Allman is running a new syslog.c through the mill at the > >moment. It'll be the one published in the RSN CERT advisory I presume. > > >It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and > >the only holdup is portability to other OS's. > > The one posted here didn't check the format conversion. pst's version > was more complete. > > Someone suggested using %.*s instead of snprintf. That works well for > the format conversion. > > Bruce Well, this is it, BTW.... Obviously, this has portability stuff in it that can come out. Note, it's berkeley version 8.8. 4.4Lite was version 8.4, and Lite2 is version 8.5. If anybody's got any complaints with this version of the code, we need to hear about it ASAP, before it gets published. -------------------- Subject: updated syslog.c (CERT VU#9548) Date: Wed, 30 Aug 1995 20:49:08 -0700 /* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)syslog.c 8.8 (Berkeley) 8/30/95"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #ifdef BSD4_4 # include #else # ifndef _PATH_CONSOLE # define _PATH_CONSOLE "/dev/console" # endif # ifndef _PATH_LOG # define _PATH_LOG "/dev/log" # endif #endif #if __STDC__ # include #else # include # define const /* */ #endif #ifndef USESNPRINTF # if defined(BSD4_4) # define USESNPRINTF 1 /* has snprintf(3), vsnprintf(3), etc. */ # else # define USESNPRINTF 0 /* cheesy old C library */ # endif #endif #ifndef LOG_PRI # define LOG_PRI(p) ((p) & LOG_PRIMASK) #endif #ifndef LOG_PERROR # define LOG_PERROR 0 #endif #define BUFSLOP 1024 /* overflow space */ static int LogFile = -1; /* fd for log */ static int connected; /* have done connect */ static int LogStat = 0; /* status bits, set by openlog() */ static const char *LogTag = NULL; /* string to tag the entry with */ static int LogFacility = LOG_USER; /* default facility code */ static int LogMask = 0xff; /* mask of priorities to be logged */ #if defined(BSD4_4) extern char *__progname; /* Program name, from crt0. */ #else char *__progname = NULL; #endif /* * syslog, vsyslog -- * print message on log file; output is intended for syslogd(8). */ void #if __STDC__ syslog(int pri, const char *fmt, ...) #else syslog(pri, fmt, va_alist) int pri; char *fmt; va_dcl #endif { va_list ap; extern void vsyslog(); #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif vsyslog(pri, fmt, ap); va_end(ap); } void vsyslog(pri, fmt, ap) int pri; register const char *fmt; va_list ap; { register int cnt; register char ch, *p, *t; time_t now; int fd, saved_errno; int panic = 0; static int maxsend = BUFSIZ; char *stdp, fmt_cpy[1024], tbuf[BUFSIZ + BUFSLOP]; extern void openlog(); #define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID /* Check for invalid bits. */ if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) { syslog(INTERNALLOG, "syslog: unknown facility/priority: %x", pri); pri &= LOG_PRIMASK|LOG_FACMASK; } /* Check priority against setlogmask values. */ if (!(LOG_MASK(LOG_PRI(pri)) & LogMask)) return; saved_errno = errno; /* Set default facility if none specified. */ if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; /* Get connected. */ if (!connected) openlog(LogTag, LogStat | LOG_NDELAY, 0); /* Build the message. */ (void)time(&now); sprintf(tbuf, "<%d>", pri); p = tbuf + strlen(tbuf); strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", localtime(&now)); p += strlen(p); stdp = p; if (LogTag == NULL) LogTag = __progname; if (LogTag != NULL) { sprintf(p, "%s", LogTag); p += strlen(p); } if (LogStat & LOG_PID) { sprintf(p, "[%d]", getpid()); p += strlen(p); } if (LogTag != NULL) { *p++ = ':'; *p++ = ' '; } /* Substitute error message for %m. */ for (t = fmt_cpy; ch = *fmt; ++fmt) if (ch == '%' && fmt[1] == 'm') { ++fmt; sprintf(t, "%s", strerror(saved_errno)); t += strlen(t); } else *t++ = ch; *t = '\0'; #if USESNPRINTF cnt = maxsend - (p - tbuf) + 1; p += vsnprintf(p, cnt, fmt_cpy, ap); cnt = p - tbuf; #else vsprintf(p, fmt_cpy, ap); p += strlen(p); cnt = p - tbuf; if (cnt > sizeof tbuf) { /* Panic condition. */ panic = 1; } if (cnt > maxsend) cnt = maxsend; #endif /* Output to stderr if requested. */ if (LogStat & LOG_PERROR) { struct iovec iov[2]; register struct iovec *v = iov; v->iov_base = stdp; v->iov_len = cnt - (stdp - tbuf); ++v; v->iov_base = "\n"; v->iov_len = 1; (void)writev(STDERR_FILENO, iov, 2); } /* Output the message to the local logger. */ for (;;) { if (send(LogFile, tbuf, cnt, 0) >= 0) goto done; if (errno != EMSGSIZE || maxsend <= 256) break; /* Message was too large -- back it off. */ do { maxsend -= 128; } while (cnt < maxsend && maxsend > 256); cnt = maxsend; } /* * Output the message to the console; don't worry about blocking, * if console blocks everything will. Make sure the error reported * is the one from the syslogd failure. */ if (LogStat & LOG_CONS && (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { (void)strcat(tbuf, "\r\n"); cnt += 2; p = strchr(tbuf, '>') + 1; (void)write(fd, p, cnt - (p - tbuf)); (void)close(fd); } done: #if !USESNPRINTF /* * If we had a buffer overrun, log a panic and abort. * We can't return because our stack is probably toast. */ if (panic) { syslog(LOG_EMERG, "SYSLOG BUFFER OVERRUN -- EXITING"); abort(); } #endif } static struct sockaddr SyslogAddr; /* AF_UNIX address of local logger */ void openlog(ident, logstat, logfac) const char *ident; int logstat, logfac; { if (ident != NULL) LogTag = ident; LogStat = logstat; if (logfac != 0 && (logfac &~ LOG_FACMASK) == 0) LogFacility = logfac; if (LogFile == -1) { SyslogAddr.sa_family = AF_UNIX; (void)strncpy(SyslogAddr.sa_data, _PATH_LOG, sizeof(SyslogAddr.sa_data)); if (LogStat & LOG_NDELAY) { if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) return; (void)fcntl(LogFile, F_SETFD, 1); } } if (LogFile != -1 && !connected) if (connect(LogFile, &SyslogAddr, sizeof(SyslogAddr)) == -1) { (void)close(LogFile); LogFile = -1; } else connected = 1; } void closelog() { (void)close(LogFile); LogFile = -1; connected = 0; } /* setlogmask -- set the log mask level */ int setlogmask(pmask) int pmask; { int omask; omask = LogMask; if (pmask != 0) LogMask = pmask; return (omask); } ------- Cheers, -Peter From owner-freebsd-security Thu Aug 31 14:38:29 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id OAA25889 for security-outgoing; Thu, 31 Aug 1995 14:38:29 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id OAA25883 for ; Thu, 31 Aug 1995 14:38:27 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id OAA12750; Thu, 31 Aug 1995 14:37:49 -0700 From: "Rodney W. Grimes" Message-Id: <199508312137.OAA12750@gndrsh.aac.dev.com> Subject: Re: Eric Allman's syslog.c fixes To: peter@haywire.dialix.com (Peter Wemm) Date: Thu, 31 Aug 1995 14:37:49 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: <42548i$agm$1@haywire.DIALix.COM> from "Peter Wemm" at Sep 1, 95 03:58:10 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 703 Sender: security-owner@freebsd.org Precedence: bulk > > Eric Allman is running a new syslog.c through the mill at the > moment. It'll be the one published in the RSN CERT advisory I presume. > > It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and > the only holdup is portability to other OS's. > > I keep a pretty close eye on this area, as it's sendmail related. Is > it worth bringing in the currently 'endorsed' version, and updating it > to the CERT version if there are any changes later? Yes, that would give Eric additional test data and eyes looking at the solution. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Thu Aug 31 14:49:43 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id OAA27055 for security-outgoing; Thu, 31 Aug 1995 14:49:43 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id OAA27029 for ; Thu, 31 Aug 1995 14:49:26 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id HAA10330; Fri, 1 Sep 1995 07:44:47 +1000 Date: Fri, 1 Sep 1995 07:44:47 +1000 From: Bruce Evans Message-Id: <199508312144.HAA10330@godzilla.zeta.org.au> To: bde@zeta.org.au, peter@haywire.DIALix.COM Subject: Re: Eric Allman's syslog.c fixes Cc: freebsd-security@freebsd.org Sender: security-owner@freebsd.org Precedence: bulk >Well, this is it, BTW.... Obviously, this has portability stuff in it >that can come out. Note, it's berkeley version 8.8. 4.4Lite was version >8.4, and Lite2 is version 8.5. If anybody's got any complaints with this >version of the code, we need to hear about it ASAP, before it gets >published. Unfortunately it has many of the bugs that we noticed in the review of pst's version. > if (LogTag == NULL) > LogTag = __progname; > if (LogTag != NULL) { > sprintf(p, "%s", LogTag); ^^^^^^^ > p += strlen(p); > } This can overrun (or cause overruns later) if LogTag is very log. Perhaps this doesn't matter because users can't change LogTag. > /* Substitute error message for %m. */ > for (t = fmt_cpy; ch = *fmt; ++fmt) > if (ch == '%' && fmt[1] == 'm') { > ++fmt; > sprintf(t, "%s", strerror(saved_errno)); ^^^^^^^ > t += strlen(t); > } else > *t++ = ch; ^^^^ > *t = '\0'; ^^ More overrun possibilities. Perhaps they don't matter because users can't change the format. >#if USESNPRINTF > cnt = maxsend - (p - tbuf) + 1; > p += vsnprintf(p, cnt, fmt_cpy, ap); ^^^^ > cnt = p - tbuf; ^^^ >#else >.... >#endif vsnprintf() returns the number of characters that would be written if they fitted, so the final pointer and count are bogus if not everything fitted. The most interesting case is if a couple of GB would be written and the pointer wraps around. > /* > * Output the message to the console; don't worry about blocking, > * if console blocks everything will. Make sure the error reported > * is the one from the syslogd failure. > */ > if (LogStat & LOG_CONS && > (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { > (void)strcat(tbuf, "\r\n"); > cnt += 2; > p = strchr(tbuf, '>') + 1; > (void)write(fd, p, cnt - (p - tbuf)); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > (void)close(fd); > } The bogus pointer and count may be considered as a feature :-). They may cause junk to be written to the log as evidence of attempted breakins. Bruce From owner-freebsd-security Thu Aug 31 15:03:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id PAA28345 for security-outgoing; Thu, 31 Aug 1995 15:03:08 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id PAA28337 for ; Thu, 31 Aug 1995 15:03:05 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.12/8.6.12) with SMTP id PAA03378; Thu, 31 Aug 1995 15:01:20 -0700 Message-Id: <199508312201.PAA03378@precipice.shockwave.com> To: Bruce Evans cc: peter@haywire.DIALix.COM, freebsd-security@freebsd.org Subject: Re: Eric Allman's syslog.c fixes In-reply-to: Your message of "Fri, 01 Sep 1995 07:44:47 +1000." <199508312144.HAA10330@godzilla.zeta.org.au> Date: Thu, 31 Aug 1995 15:01:20 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk From: Bruce Evans Subject: Re: Eric Allman's syslog.c fixes >Well, this is it, BTW.... Obviously, this has portability stuff in it >that can come out. Note, it's berkeley version 8.8. 4.4Lite was version >8.4, and Lite2 is version 8.5. If anybody's got any complaints with this >version of the code, we need to hear about it ASAP, before it gets >published. Unfortunately it has many of the bugs that we noticed in the review of pst's version. > if (LogTag == NULL) > LogTag = __progname; > if (LogTag != NULL) { > sprintf(p, "%s", LogTag); ^^^^^^^ > p += strlen(p); > } This can overrun (or cause overruns later) if LogTag is very log. Perhaps this doesn't matter because users can't change LogTag. I'd rather keep the check here. > /* Substitute error message for %m. */ > for (t = fmt_cpy; ch = *fmt; ++fmt) > if (ch == '%' && fmt[1] == 'm') { > ++fmt; > sprintf(t, "%s", strerror(saved_errno)); ^^^^^^^ > t += strlen(t); > } else > *t++ = ch; ^^^^ > *t = '\0'; ^^ More overrun possibilities. Perhaps they don't matter because users can't change the format. That was my basic feeling. >#if USESNPRINTF > cnt = maxsend - (p - tbuf) + 1; > p += vsnprintf(p, cnt, fmt_cpy, ap); ^^^^ > cnt = p - tbuf; ^^^ >#else >.... >#endif vsnprintf() returns the number of characters that would be written if they fitted, so the final pointer and count are bogus if not everything fitted. The most interesting case is if a couple of GB would be written and the pointer wraps around. Yep, bummer. > /* > * Output the message to the console; don't worry about blocking, > * if console blocks everything will. Make sure the error reported > * is the one from the syslogd failure. > */ > if (LogStat & LOG_CONS && > (fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) { > (void)strcat(tbuf, "\r\n"); > cnt += 2; > p = strchr(tbuf, '>') + 1; > (void)write(fd, p, cnt - (p - tbuf)); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > (void)close(fd); > } The bogus pointer and count may be considered as a feature :-). They may cause junk to be written to the log as evidence of attempted breakins. Bruce From owner-freebsd-security Fri Sep 1 00:01:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA19367 for security-outgoing; Fri, 1 Sep 1995 00:01:28 -0700 Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77]) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id AAA19361 for ; Fri, 1 Sep 1995 00:01:25 -0700 Received: from post.demon.co.uk by disperse.demon.co.uk id aa08780; 1 Sep 95 7:45 +0100 Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa26204; 1 Sep 95 7:42 +0100 Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id HAA08351; Fri, 1 Sep 1995 07:43:00 +0100 From: Karl Strickland Message-Id: <199509010643.HAA08351@bagpuss.demon.co.uk> Subject: Re: Eric Allman's syslog.c fixes To: "Rodney W. Grimes" Date: Fri, 1 Sep 1995 07:42:59 +0100 (BST) Cc: peter@haywire.dialix.com, freebsd-security@freebsd.org, eric@cs.berkeley.edu In-Reply-To: <199508312137.OAA12750@gndrsh.aac.dev.com> from "Rodney W. Grimes" at Aug 31, 95 02:37:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1317 Sender: security-owner@freebsd.org Precedence: bulk > > > > > Eric Allman is running a new syslog.c through the mill at the > > moment. It'll be the one published in the RSN CERT advisory I presume. > > > > It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and > > the only holdup is portability to other OS's. > > > > I keep a pretty close eye on this area, as it's sendmail related. Is > > it worth bringing in the currently 'endorsed' version, and updating it > > to the CERT version if there are any changes later? > > Yes, that would give Eric additional test data and eyes looking at > the solution. I think that the fmt string should also be bounds checked - there is still no bounds check on the copy from the user supplied fmt string into the internal buffer. Having said that, Im not aware of anything that lets the user mess with the fmt string, but I think it makes sense to fix it at this point. Other than that, it looks good to me -- I did a make world (yes i know its extreme :)) with it and its been going without problems for > 24 hours.. -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | From owner-freebsd-security Fri Sep 1 04:50:49 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id EAA29192 for security-outgoing; Fri, 1 Sep 1995 04:50:49 -0700 Received: from hermes.sees.bangor.ac.uk (hermes.sees.bangor.ac.uk [147.143.102.8]) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id EAA29186 for ; Fri, 1 Sep 1995 04:50:45 -0700 From: Mr D Whitehead (Ext 2703) Message-Id: <10216.9509011148@hermes.sees.bangor.ac.uk> Received: from adam.sees (adam.sees.bangor.ac.uk) by hermes.sees.bangor.ac.uk; Fri, 1 Sep 95 12:48:42 BST Subject: Security of non root nfs mounts To: freebsd-security@freebsd.org Date: Fri, 1 Sep 1995 12:48:40 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1508 Sender: security-owner@freebsd.org Precedence: bulk Hi, FreeBSD-2.0.5R does not seem to be able to export a filesystem when the mount request was made by Sun's PCNFS using its default user of 'nobody' (uid:2 gid:2) , this was not the case for (some) earlier versions (2.0R & 2.0-950112-SNAP). Is this an intentional change made for security reasons, and if not is there a way round this? This situation came to my attention when upgrading the servers for our teaching lab. where we have PC's running both Dos and FreeBSD. When the PC's are booted as Dos machines all readonly filesystems and printers are mounted during the execution of autoexec.bat providing a basic range of facilities. Later when the user has logged in more filesystems and facilities are provided. Needless to say its done this way so that the login command (and a few other important bits) can be maintained as on the network where system wide changes can be easily made and controlled. -- Dave Whitehead (Computer Support Staff) ------------------------------------------------------------------------------- EMAIL:- | TELEPHONE (work):- (work) davew@sees.bangor.ac.uk | +44 1248 382703 (Direct line) (home) 100023.1076@compuserve.com | +44 1248 351151 ext 2703 ------------------------------------------------------------------------------- SNAIL MAIL:- Dave Whitehead School of Electronic Engineering & Computer Systems, University College of North Wales, Dean Street, Bangor LL57 1UT ------------------------------------------------------------------------------ From owner-freebsd-security Fri Sep 1 11:32:22 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id LAA12828 for security-outgoing; Fri, 1 Sep 1995 11:32:22 -0700 Received: from mastodon.CS.Berkeley.EDU (mastodon.CS.Berkeley.EDU [128.32.35.29]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id LAA12822 for ; Fri, 1 Sep 1995 11:32:21 -0700 Received: from mastodon.CS.Berkeley.EDU (localhost.Berkeley.EDU [127.0.0.1]) by mastodon.CS.Berkeley.EDU (8.6.11/8.6.9) with ESMTP id LAA00429; Fri, 1 Sep 1995 11:32:11 -0700 Message-Id: <199509011832.LAA00429@mastodon.CS.Berkeley.EDU> To: Karl Strickland From: Eric Allman cc: "Rodney W. Grimes" , peter@haywire.dialix.com, freebsd-security@freebsd.org Subject: Re: Eric Allman's syslog.c fixes In-reply-to: Mail from Karl Strickland dated Fri, 01 Sep 1995 07:42:59 BST <199509010643.HAA08351@bagpuss.demon.co.uk> Date: Fri, 01 Sep 1995 11:32:09 -0700 Sender: security-owner@freebsd.org Precedence: bulk My take is that the copied fmt string should not be a problem, because applications shouldn't be allowing the user to specify it (if they did, users could drop in gratuitous `%'s). The only reason this is needed is to get %m, which wouldn't have been necessary in the first case if strerror() had existed, or if I had had the sense to implement that sort of routine instead of the special-purpose %m hack. Of course, it's always a good idea to bounds check -- I'm just saying that I doubt that this will be a serious problem in real life. eric ============= In Reply To: ============================================== : From: Karl Strickland : Subject: Re: Eric Allman's syslog.c fixes : Date: Fri, 1 Sep 1995 07:42:59 +0100 (BST) : > : > > : > > Eric Allman is running a new syslog.c through the mill at the : > > moment. It'll be the one published in the RSN CERT advisory I presume. : > > : > > It's thought to be bomproof on 4.4BSD systems (it uses vsnprintf), and : > > the only holdup is portability to other OS's. : > > : > > I keep a pretty close eye on this area, as it's sendmail related. Is : > > it worth bringing in the currently 'endorsed' version, and updating it : > > to the CERT version if there are any changes later? : > : > Yes, that would give Eric additional test data and eyes looking at : > the solution. : : I think that the fmt string should also be bounds checked - there is still : no bounds check on the copy from the user supplied fmt string into the : internal buffer. Having said that, Im not aware of anything that lets : the user mess with the fmt string, but I think it makes sense to fix it : at this point. : : Other than that, it looks good to me -- I did a make world (yes i know : its extreme :)) with it and its been going without problems for > 24 hours.. : : -- : ------------------------------------------+---------------------------------- - : Mailed using ELM on FreeBSD | Karl Stricklan d : PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.u k : | From owner-freebsd-security Fri Sep 1 12:52:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id MAA16397 for security-outgoing; Fri, 1 Sep 1995 12:52:36 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id MAA16380 for ; Fri, 1 Sep 1995 12:52:19 -0700 Received: by sequent.kiae.su id AA06371 (5.65.kiae-2 ); Fri, 1 Sep 1995 23:46:27 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Fri, 1 Sep 95 23:46:26 +0300 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id XAA00921; Fri, 1 Sep 1995 23:30:16 +0400 To: Bruce Evans , Peter Wemm Cc: freebsd-security@freebsd.org References: In-Reply-To: ; from Peter Wemm at Fri, 1 Sep 1995 05:21:11 +0800 (WST) Message-Id: Organization: Olahm Ha-Yetzirah Date: Fri, 1 Sep 1995 23:30:16 +0400 (MSD) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: Eric Allman's syslog.c fixes Lines: 14 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 548 Sender: security-owner@freebsd.org Precedence: bulk In message Peter Wemm writes: > strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", localtime(&now)); Here must be ctime() instead, we don't need international names into logfiles. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849