From owner-freebsd-security  Wed Sep  6 09:39:35 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.11/8.6.6) id JAA11413
          for security-outgoing; Wed, 6 Sep 1995 09:39:35 -0700
Received: from gate.sinica.edu.tw (gate.sinica.edu.tw [140.109.14.2])
          by freefall.freebsd.org (8.6.11/8.6.6) with SMTP id JAA11304
          for <freebsd-security@freebsd.org>; Wed, 6 Sep 1995 09:39:22 -0700
Received: by gate.sinica.edu.tw (5.x/SMI-SVR4)
	id AA22789; Thu, 7 Sep 1995 00:36:43 +0800
Date: Thu, 7 Sep 1995 00:36:42 +0800 (CST)
From: Brian Tao <taob@gate.sinica.edu.tw>
To: freebsd-security@freebsd.org
Subject: Do we *really* need logger(1)?
Message-Id: <Pine.SOL.3.91.950906235946.15418C-100000@gate>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: security-owner@freebsd.org
Precedence: bulk

    I was looking through my lp wrapper shell script (basically redirects 
output to an SGI elsewhere on the LAN, while passing options and 
around).  I use logger(1) to keep track of who uses the command.  With 
the recent hoopla with sprintf() and lack of bounds checking in 
syslogd(), it dawned on me that logger(1) could be a hacker's dream.

    Forget for a moment that logger gives any user convenient access to 
syslogd.  Any user could cause the sysadmin grief by issuing something 
like:

% logger -t login login from evil.com as root

... or perhaps use the LOG_EMERG priority level (logger does not call 
setlogmask() at all):

% logger -p kern.emerg -t /kernel WARNING: Core meltdown imminent\!

    Of course, you could substitute a non-bogus message and there would 
be no immediate way of telling if the syslog entry was real or caused by 
a prankster.  The point is that any user can easily write to a file owned 
and normally writeable only by root.  "logger -f huge.core" can easily 
fill up your /var filesystem.  For your convenience, it will even take 
input from stdin.

    This essentially makes /var/log/messages untrustworthy and possibly 
dangerous if you rely on it for accounting or resource tracking 
purposes.  I checked my machines and SunOS, Solaris, IRIX, AIX and 
FreeBSD all have this facility.  Since logger is so widespread, I wonder 
if perhaps I am just stirring up a storm in a teacup?  It certainly 
*looks* like a rather dangerous tool to have sitting around.

    Since syslogd runs as root (getting back to the recent 8lgm advisory),
would it be possible to use logger to overrun its stack and somehow get it to
execute a root shell or do other dastardly deeds a la Internet Worm?  
Could someone then distribute an file that any user can feed to logger 
to exploit this hole?

    Please keep me in the cc list since I won't be subscribed to 
freebsd-security for the next couple of weeks (in the process of moving 
back to Toronto).  Thanks.
--
Brian ("Though this be madness, yet there is method in't") Tao
taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org