From owner-freebsd-net Fri Nov 22 14:11: 3 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 479CC37B401 for ; Fri, 22 Nov 2002 14:11:01 -0800 (PST) Received: from tp.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D2F543E6E for ; Fri, 22 Nov 2002 14:11:00 -0800 (PST) (envelope-from barney@tp.databus.com) Received: from tp.databus.com (localhost.databus.com [127.0.0.1]) by tp.databus.com (8.12.6/8.12.6) with ESMTP id gAMMAsvg031083 for ; Fri, 22 Nov 2002 17:10:54 -0500 (EST) (envelope-from barney@tp.databus.com) Received: (from barney@localhost) by tp.databus.com (8.12.6/8.12.6/Submit) id gAMMAsTn031082 for freebsd-net@freebsd.org; Fri, 22 Nov 2002 17:10:54 -0500 (EST) Date: Fri, 22 Nov 2002 17:10:54 -0500 From: Barney Wolff To: freebsd-net@freebsd.org Subject: [bugtraq-partner@seculution.de: [OpenBSD] [syslogd] false src-IP when logging to remote syslogd] Message-ID: <20021122221054.GA31045@tp.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Scanned-By: MIMEDefang 2.25 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sounds familiar :) The question is whether any of the error codes discussed here would cause syslogd to rebind to the new address. ----- Forwarded message from Torsten Valentin ----- Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com X-Authentication-Warning: emax.hamcom.de: Host adsl-dyn3-226.heliweb.de [212.37.53.226] claimed to be server1.seculution.de From: "Torsten Valentin" To: Subject: [OpenBSD] [syslogd] false src-IP when logging to remote syslogd Date: Wed, 20 Nov 2002 16:36:43 +0100 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) X-Scanned-By: MIMEDefang 2.25 (www . roaringpenguin . com / mimedefang) X-MIME-Autoconverted: from quoted-printable to 8bit by tp.databus.com id gAMM36vg031018 OpenBSD's syslogd (Tested on OpenBSD 2.9 - 3.2, i386 only) seems to have a bug that might lead to false information on a remote syslog-server. The problem can be reproduced by changing the machines IP using ifconfig and NOT rebooting the whole machine. Though the machine should not use the old IP anymore, packets from syslogd to the remote syslog-server (514/UDP) originate with the OLD source IP, the OpenBSD machine had before ifconfig. Though this is not a severe security issue which leads into a compromise of the system itself, it is an issue that leads into false information on the remote syslogd server, because the packets seem to originate from an address they are not really coming from. This might for example result in ID-systems reporting alarms from the wrong server or even worse not report alarms at all, depending on the configuration. The people at OpenBSD have been informed about this today via sendbug(1), but the Bug Tracking System seems to be disabled at the moment. T. ------------------------------ Torsten Valentin General Manager SecuLution GmbH Friedenstr. 3b 59199 B?nen Germany E-Mail: info@4ss.de http://www.4ss.de ----- End forwarded message ----- -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message