Date: Thu, 7 Sep 1995 00:36:42 +0800 (CST) From: Brian Tao <taob@gate.sinica.edu.tw> To: freebsd-security@freebsd.org Subject: Do we *really* need logger(1)? Message-ID: <Pine.SOL.3.91.950906235946.15418C-100000@gate>
next in thread | raw e-mail | index | archive | help
I was looking through my lp wrapper shell script (basically redirects
output to an SGI elsewhere on the LAN, while passing options and
around). I use logger(1) to keep track of who uses the command. With
the recent hoopla with sprintf() and lack of bounds checking in
syslogd(), it dawned on me that logger(1) could be a hacker's dream.
Forget for a moment that logger gives any user convenient access to
syslogd. Any user could cause the sysadmin grief by issuing something
like:
% logger -t login login from evil.com as root
... or perhaps use the LOG_EMERG priority level (logger does not call
setlogmask() at all):
% logger -p kern.emerg -t /kernel WARNING: Core meltdown imminent\!
Of course, you could substitute a non-bogus message and there would
be no immediate way of telling if the syslog entry was real or caused by
a prankster. The point is that any user can easily write to a file owned
and normally writeable only by root. "logger -f huge.core" can easily
fill up your /var filesystem. For your convenience, it will even take
input from stdin.
This essentially makes /var/log/messages untrustworthy and possibly
dangerous if you rely on it for accounting or resource tracking
purposes. I checked my machines and SunOS, Solaris, IRIX, AIX and
FreeBSD all have this facility. Since logger is so widespread, I wonder
if perhaps I am just stirring up a storm in a teacup? It certainly
*looks* like a rather dangerous tool to have sitting around.
Since syslogd runs as root (getting back to the recent 8lgm advisory),
would it be possible to use logger to overrun its stack and somehow get it to
execute a root shell or do other dastardly deeds a la Internet Worm?
Could someone then distribute an file that any user can feed to logger
to exploit this hole?
Please keep me in the cc list since I won't be subscribed to
freebsd-security for the next couple of weeks (in the process of moving
back to Toronto). Thanks.
--
Brian ("Though this be madness, yet there is method in't") Tao
taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.91.950906235946.15418C-100000>