Date: Thu, 7 Sep 1995 00:36:42 +0800 (CST) From: Brian Tao <taob@gate.sinica.edu.tw> To: freebsd-security@freebsd.org Subject: Do we *really* need logger(1)? Message-ID: <Pine.SOL.3.91.950906235946.15418C-100000@gate>
next in thread | raw e-mail | index | archive | help
I was looking through my lp wrapper shell script (basically redirects output to an SGI elsewhere on the LAN, while passing options and around). I use logger(1) to keep track of who uses the command. With the recent hoopla with sprintf() and lack of bounds checking in syslogd(), it dawned on me that logger(1) could be a hacker's dream. Forget for a moment that logger gives any user convenient access to syslogd. Any user could cause the sysadmin grief by issuing something like: % logger -t login login from evil.com as root ... or perhaps use the LOG_EMERG priority level (logger does not call setlogmask() at all): % logger -p kern.emerg -t /kernel WARNING: Core meltdown imminent\! Of course, you could substitute a non-bogus message and there would be no immediate way of telling if the syslog entry was real or caused by a prankster. The point is that any user can easily write to a file owned and normally writeable only by root. "logger -f huge.core" can easily fill up your /var filesystem. For your convenience, it will even take input from stdin. This essentially makes /var/log/messages untrustworthy and possibly dangerous if you rely on it for accounting or resource tracking purposes. I checked my machines and SunOS, Solaris, IRIX, AIX and FreeBSD all have this facility. Since logger is so widespread, I wonder if perhaps I am just stirring up a storm in a teacup? It certainly *looks* like a rather dangerous tool to have sitting around. Since syslogd runs as root (getting back to the recent 8lgm advisory), would it be possible to use logger to overrun its stack and somehow get it to execute a root shell or do other dastardly deeds a la Internet Worm? Could someone then distribute an file that any user can feed to logger to exploit this hole? Please keep me in the cc list since I won't be subscribed to freebsd-security for the next couple of weeks (in the process of moving back to Toronto). Thanks. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.91.950906235946.15418C-100000>