From: Martin Schulze (joey@infodrom.org)
Date: Thu Apr 29 2004 - 12:03:12 CEST
> Mandrakelinux Advisory: sysklogd
>
> Mandrakelinux Security Update Advisory
>
> Package name: sysklogd
>
> Advisory ID: MDKSA-2004:038
>
> Date: April 28th, 2004
>
> Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi
> Network Firewall 8.2
>
> Problem Description:
>
> Steve Grubb discovered a bug in sysklogd where it allocates an
> insufficient amount of memory which causes sysklogd to write to
> unallocated memory. This could allow for a malicious user to crash
> sysklogd.
Are you able to explain how this could happen?
The problematic code reads commandline arguments that
1. can only be specified by root since only root can execute
syslogd and access all sockets and log dirs, it is not installed
setuid or setgid
2. only very few people probably use -l/-s
3. you could run syslog via sudo but if you don't trust the user
executing syslogd there are easier ways to gain root access than
to craft an exploit for this.
We are talking about
- if ((result = (char **)malloc(sizeof(char *) * count+2)) == NULL) {
+ if ((result = (char **)malloc(sizeof(char *) * (count+2))) == NULL) {
in syslogd / crunch_list, right?
It is my understanding that this problem cannot be exploited with
a non-root user, and when already being root it won't pose more
problems to become root again.
Regards,
Joey
-- GNU GPL: "The source will be with you... always."
This archive was generated by hypermail 2.1.7 : Thu Apr 29 2004 - 12:06:33 CEST