Date: Fri, 3 Oct 2014 12:03:12 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Subject: Re: sysklogd vulnerability (CVE-2014-3634) On Fri, Oct 03, 2014 at 03:26:09PM +0400, Solar Designer wrote: > > What about the DoS impact claimed here, though? - > > http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ > > sysklogd ~~~~~~~~ A segfault seems possible in sysklogd if a negative > facility value (due to integer overrun in facility parsing) is used. > This could be used to carry out a remote DoS. > > If this can be used to crash syslogd, it's "real security impact", > even if rather limited. > > Have you tried triggering this condition (getting syslogd to crash)? > > Alexander The potential for large negative offsets due to integer overflows was introduced to rsyslog via their first set of patches meant to fix CVE-2014-3634. This has since been corrected and assigned CVE-2014-3683. In sysklogd's case, the priority is masked by (LOG_FACMASK|LOG_PRIMASK) which means the possible range for priorities is 0-1023 (192-1023 being invalid). So, that overflow vector doesn't exist in sysklogd (which never adapted rsyslog's first fix). At most you get a facility of 127 while f_pmask has size 25, ergo OOB access. I have done enough testing that I am relatively confident no security impact exists other than the aforementioned message-processing issues which would apply to the would-be attacker's own message. That said, applying the fix eliminates all doubt. --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ