Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Oct 2014 12:03:12 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: Re: sysklogd vulnerability (CVE-2014-3634)

On Fri, Oct 03, 2014 at 03:26:09PM +0400, Solar Designer wrote:
> 
> What about the DoS impact claimed here, though? -
> 
> http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
> 
>  sysklogd ~~~~~~~~ A segfault seems possible in sysklogd if a negative
>  facility value (due to integer overrun in facility parsing) is used.
>  This could be used to carry out a remote DoS.
> 
> If this can be used to crash syslogd, it's "real security impact",
> even if rather limited.
> 
> Have you tried triggering this condition (getting syslogd to crash)?
> 
> Alexander

The potential for large negative offsets due to integer overflows was
introduced to rsyslog via their first set of patches meant to fix
CVE-2014-3634. This has since been corrected and assigned CVE-2014-3683.  

In sysklogd's case, the priority is masked by (LOG_FACMASK|LOG_PRIMASK)
which means the possible range for priorities is 0-1023 (192-1023 being
invalid). So, that overflow vector doesn't exist in sysklogd (which
never adapted rsyslog's first fix). At most you get a facility of 127
while f_pmask has size 25, ergo OOB access.

I have done enough testing that I am relatively confident no security
impact exists other than the aforementioned message-processing issues
which would apply to the would-be attacker's own message. That said,
applying the fix eliminates all doubt.  

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ