Date: Tue, 25 Jan 2011 11:07:15 +0100 From: SZALAY Attila <sasa@...abit.hu> To: bugtraq@...urityfocus.com, oss-security@...ts.openwall.com Subject: syslog-ng wrong file permission vulnerability ========================================================================== syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE <= Information leak, access prevention and possible priviledge escalation CVE-2011-0343 ========================================================================== 1. OVERVIEW Versions 3.0, 3.1 and 3.2 of syslog-ng Open Source Edition (OSE) and versions 3.0, 3.1 and 3.2 of syslog-ng Premium Edition (PE) create log files with all permission bit set by default on FreeBSD and HP-UX architectures. These permissions allow anybody with local access to read and write the log files. The setuid and execution bits are also set, allowing the log files to be executed. 2. BACKGROUND The syslog-ng application is an enhanced version of the default Syslog service found on FreeBSD and other UNIX and Unix-like operating systems. The syslog- ng application supports reliable and encrypted transport using TCP and TLS, SQL support, and offers powerful message filtering, sorting, pre-processing and log normalization capabilities. Utilizing message parsing and classification, syslog-ng is able to correlate log messages both real-time and offline, making it especially suited to implement the artificial ignorance principle. 3. VULNERABILITY DESCRIPTION This vulnerability affects only architectures where sizeof(mod_t) is not equal to sizeof(int). Because of bad casts in the code and the internal representation of the ``use the default permission'' setting being -1, this number in the chmod call is interpreted as 07777. This means that the permission of the file is readable, writable and executable to all, and the setuid, setgid, and sticky bits are set. Everybody who can see the file can read it, write it and even run it with root permission. 4. VERSIONS AFFECTED The following table summarizes in which product versions is the vulnerable code present and in which versions has it been corrected. syslog-ng Open Source Edition (OSE): Branch Vulnerable from Fixed in 2.0.X this branch is not vulnerable 3.0.X 3.0.7 3.0.10 3.1.X 3.1.3 3.1.4 3.2.X 3.2alpha1 3.2.2? syslog-ng Premium Edition (PE): Branch Vulnerable from Fixed in 3.0.X 3.0.6 3.0.6a 3.1.X this branch is not vulnerable 3.2.X 3.2.0 3.2.1a 5. PROOF-OF-CONCEPT/EXPLOIT None. But it's easy to imagine. 6. IMPACT This problem causes that every user can see, modify or destroy the log messages directly and make it difficult to detect harmful operations. With a small trick even (shell)code execution is possible with root permissions, causing privilege escalation. 7. SOLUTION Upgrade to a newer, unaffected version. syslog-ng Open Source Edition (OSE): 3.0.X 3.0.10 3.1.X 3.1.4 3.2.X 3.2.2 syslog-ng Premium Edition (PE): 3.0.X 3.0.6a 3.2.X 3.2.1a 8. VENDOR BalaBit IT Security Ltd. http://www.balabit.com Product page: http://www.balabit.com/network-security/syslog-ng/ 9. CREDIT This vulnerability was discovered by Steven Chamberlain steven :at: pyro dot eu dot org 10. DISCLOSURE TIME-LINE 2010-12-31: The problem reported to the debian bug tracking system 2010-12-31: notified vendor by the debian maintainer 2011-01-01: upstream proposed a fix 2011-01-02: freebsd port maintainer notified 2011-01-07: every linux port notified 2011-01-10: PE version 3.0.6a and 3.2.1a released 2011-01-14: OSE version 3.0.10 and 3.1.4 released 2011-01-16: OSE version 3.2.2 released 11. VENDOR RESPONSE 12. REFERENCES Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491 Debian security track: http://security-tracker.debian.org/tracker/CVE-2011-0343 upstream patch: http://git.balabit.hu/?p=bazsi/syslog-ng-3.0.git;a=commit;h=17531d911d544687fb9c5bd3b130dd5bf7903db0 upstream patch: http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=cbcea8c95c3f07ed9eaa4d12f124db8f8ca2f74b upstream patch: http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=96af7607873e126ecee0eb51a5fff46a920c5630 upstream announcement: https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html upstream announcement: https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html upstream announcement: https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000103.html upstream announcement: https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000104.html upstream announcement: https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000105.html freebsd port: http://www.freshports.org/commit.php?category=sysutils&port=syslog-ng3&files=yes&message_id=201101041550.p04Fov6n028317@repoman.freebsd.org -- SZALAY Attila Support (L3) Team Leader e-mail: attila.szalay@...abit.com BalaBit IT Security www.balabit.com H-1115 Bártfai str. 54. Budapest This Communication is Confidential. We only send and receive email on the basis of the terms set out at http://www.balabit.com/disclaimer/.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.