Re: Mandrakelinux Advisory: sysklogd

From: Vincent Danen (vdanen@mandrakesoft.com)
Date: Thu Apr 29 2004 - 16:54:48 CEST


On Apr 29, 2004, at 4:03 AM, Martin Schulze wrote:

>> Mandrakelinux Advisory: sysklogd
>>
>> Mandrakelinux Security Update Advisory
>>
>> Package name: sysklogd
>>
>> Advisory ID: MDKSA-2004:038
>>
>> Date: April 28th, 2004
>>
>> Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi
>> Network Firewall 8.2
>>
>> Problem Description:
>>
>> Steve Grubb discovered a bug in sysklogd where it allocates an
>> insufficient amount of memory which causes sysklogd to write to
>> unallocated memory. This could allow for a malicious user to crash
>> sysklogd.
>
> Are you able to explain how this could happen?

Not really... I'm basing the advisory on discussion of the bug. This
is how Steve reported it and when Solar was talking about, he didn't
say this was impossible IIRC; he pointed out some other issues and it
sounded to me like he saw this as an issue.

> The problematic code reads commandline arguments that
>
> 1. can only be specified by root since only root can execute
> syslogd and access all sockets and log dirs, it is not installed
> setuid or setgid

Right.

> 2. only very few people probably use -l/-s

Hmmm... yes, I can see that.

> 3. you could run syslog via sudo but if you don't trust the user
> executing syslogd there are easier ways to gain root access than
> to craft an exploit for this.

I actually don't know who would run syslog via sudo, or why they would
do it.

> We are talking about
>
> - if ((result = (char **)malloc(sizeof(char *) * count+2)) ==
> NULL) {
> + if ((result = (char **)malloc(sizeof(char *) * (count+2))) ==
> NULL) {
>
> in syslogd / crunch_list, right?

Yes.

> It is my understanding that this problem cannot be exploited with
> a non-root user, and when already being root it won't pose more
> problems to become root again.

Could be. I'm not claiming to know the in's and out's of this one, so
there may be something I've missed or we've both missed. I used the
description of the problem that Steve provided and didn't do much
beyond participating in the discussion of it and building/testing it.
With all the other things going on at the moment, taking an in-depth
look at it just wasn't feasible.

Of course, Steve didn't provide any kind of exploit, so maybe this is
seen as a "worst case" scenario of some sort, I'm not sure. Either
way, it sounded like something needing fixing, but whether the problem
is as bad as the advisory made it sound remains to be seen I guess.

Sorry I don't have further details on this... I pretty much took it at
face value since there was no time to really explore it. Talking to
Steve and/or Solar Designer will likely provide you with the info
you're looking for.

-- 
Mandrakesoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}




This archive was generated by hypermail 2.1.7 : Thu Apr 29 2004 - 17:28:26 CEST