Subject: SECURITY ALERT: syslog(3)
To: None <staff@apple.com, cog@taurus.apple.com>
From: Erik E. Fair <fair@apple.com>
List: netbsd-bugs
Date: 08/29/1995 11:13:50
------- Forwarded Message
id AA26928; Tue, 29 Aug 95 08:57:57 -0700
for fair
Message-Id: <199508291533.IAA18524@mastodon.CS.Berkeley.EDU>
To: sendmail-vendors@mastodon.CS.Berkeley.EDU,
sendmail-beta@mastodon.CS.Berkeley.EDU
From: Eric Allman <eric@CS.Berkeley.EDU>
Cc: Edward DeHart <ecd@cert.org>
Subject: SECURITY ALERT: syslog(3)
Date: Tue, 29 Aug 1995 08:33:00 -0700
This problem is arguably incidental to sendmail, but it is clear that
sendmail is one vector for the attack. Enclosed is the 8lgm announcement
and an updated version of syslog(3) (based on the 4.4bsd version -- YMMV)
that tries to get around the problem. Note that it does a better job if
you have vsnprintf available.
This has not been extensively tested, and I know that it is a bit rough;
in particular, it doesn't compile on systems that have changed the return
value of syslog from void to int (e.g., OSF/1). The changes should be
pretty obvious there. I have tried to make it possible for it to work
with the vendor <syslog.h> file, but I'm including that anyhow just in
case you want to take the whole thing.
Please let me know if you encounter any problems or make any enhancements.
I'll probably post something more publically in a day or two.
eric
- ------- Forwarded Message
Date: Tue, 29 Aug 1995 03:18:01 GMT
From: "[8lgm] Security Team" <8lgm@8lgm.org>
Reply-To: "[8lgm] Security Team" <8lgm@8lgm.org>
To: "comp.mail.sendmail mail newsgroup" <comp-news@dl.ac.uk>
Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
=============================================================================
Virtual Domain Hosting Services provided by The FOURnet Information Network
mail webserv@FOUR.net or see http://www.four.net
=============================================================================
[8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
VULNERABLE PROGRAMS:
All programs calling syslog(3) with user supplied data, without
checking argument lengths.
KNOWN VULNERABLE PLATFORMS:
SunOS 4.1.*
KNOWN SECURE PLATFORMS:
None at present.
DESCRIPTION:
syslog(3) uses an internal buffer to build messages. However
it performs no bound checking, and relies on the caller to
check arguments passed to it.
IMPACT:
Local and remote users can obtain root access.
REPEAT BY:
We have written an example exploit to overwrite syslog(3)'s
internal buffer using SunOS sendmail(8). However due to the
severity of this problem, this code will not be made available
to anyone at this time. Please note that the exploit was fairly
straightforward to put together, therefore expect exploits to be
widely available soon after the release of this advisory.
Here is a edited sample of using a modified telnet client to
obtain a root shell through SunOS sendmail(8) on a sparc
based machine.
legless[8lgm]% syslog_telnet localhost smtp
Trying 127.0.0.1 ...
Connected to localhost.
Escape character is '^]'.
220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\
27 Aug 95 15:56:27 BST
mail from: root
250 root... Sender ok
rcpt to: root
250 root... Recipient ok
data
354 Enter mail, end with "." on a line by itself
^]
syslog_telnet>
### At this point, we provide some information to the modified
### telnet client about the remote host. Then sparc instructions
### are sent over the link within the body of the message to
### execute a shell.
###
### As soon as data is finished (with .), sendmail will eventually
### report, through syslog(3), data about this message. syslog's
### internal buffer will be overwritten, and our supplied
### instructions are executed.
Hit <cr>, then .<cr>
.
/usr/bin/id;
uid=0(root) gid=0(wheel) groups=0(wheel)
/bin/sh: ^M: not found
uptime;
3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00
/bin/sh: ^M: not found
exit;
Connection closed by foreign host.
### Here we can see that sendmail has execed a shell as root,
### and that we can type commands. (lines ending in ; are
### user input through the telnet client).
###
### This exploit could be further expanded upon to encapsulate
### instructions within the body of a message, which can then
### be mailed out to a site (ie without the necessity to connect
### directly to the smtp port). This may be used to bypass
### firewalls.
WORKAROUNDS:
We have two methods to ensure that syslog(3) can not be used in
the above manner.
Fix syslog(3), to perform bound checking. Shared libraries
can be then fixed to use the new function. Statically linked
programs will require rebuilding.
Alternatively, ensure all calls to syslog(3), by all programs,
check all arguments passed to syslog(3).
Ideally both of the above should be implemented.
FIX:
Contact vendors for fixes.
STATUS UPDATE:
The file:
[8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README
will be created on www.8lgm.org. This will contain updates on
any further versions which are found to be vulnerable, and any
other information received pertaining to this advisory.
- - -----------------------------------------------------------------------
FEEDBACK AND CONTACT INFORMATION:
majordomo@8lgm.org (Mailing list requests - try 'help'
for details)
8lgm@8lgm.org (Everything else)
8LGM FILESERVER:
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
8LGM WWW SERVER:
[8LGM]'s web server can be reached at http://www.8lgm.org.
This contains details of all 8LGM advisories and other useful
information.
===========================================================================
- - --
- - -----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help)
majordomo@8lgm.org (Request to be added to list)
8lgm@8lgm.org (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
- ------- End of Forwarded Message
- ------- syslog.h
/*
* Copyright (c) 1982, 1986, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)syslog.h 8.1 (Berkeley) 6/2/93
*/
#define _PATH_LOG "/dev/log"
/*
* priorities/facilities are encoded into a single 32-bit quantity, where the
* bottom 3 bits are the priority (0-7) and the top 28 bits are the facility
* (0-big number). Both the priorities and the facilities map roughly
* one-to-one to strings in the syslogd(8) source code. This mapping is
* included in this file.
*
* priorities (these are ordered)
*/
#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */
#define LOG_PRIMASK 0x07 /* mask to extract priority part (internal) */
/* extract priority */
#define LOG_PRI(p) ((p) & LOG_PRIMASK)
#define LOG_MAKEPRI(fac, pri) (((fac) << 3) | (pri))
#ifdef SYSLOG_NAMES
#define INTERNAL_NOPRI 0x10 /* the "no priority" priority */
/* mark "facility" */
#define INTERNAL_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0)
typedef struct _code {
char *c_name;
int c_val;
} CODE;
CODE prioritynames[] = {
"alert", LOG_ALERT,
"crit", LOG_CRIT,
"debug", LOG_DEBUG,
"emerg", LOG_EMERG,
"err", LOG_ERR,
"error", LOG_ERR, /* DEPRECATED */
"info", LOG_INFO,
"none", INTERNAL_NOPRI, /* INTERNAL */
"notice", LOG_NOTICE,
"panic", LOG_EMERG, /* DEPRECATED */
"warn", LOG_WARNING, /* DEPRECATED */
"warning", LOG_WARNING,
NULL, -1,
};
#endif
/* facility codes */
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */
#define LOG_FTP (11<<3) /* ftp daemon */
/* other codes through 15 reserved for system use */
#define LOG_LOCAL0 (16<<3) /* reserved for local use */
#define LOG_LOCAL1 (17<<3) /* reserved for local use */
#define LOG_LOCAL2 (18<<3) /* reserved for local use */
#define LOG_LOCAL3 (19<<3) /* reserved for local use */
#define LOG_LOCAL4 (20<<3) /* reserved for local use */
#define LOG_LOCAL5 (21<<3) /* reserved for local use */
#define LOG_LOCAL6 (22<<3) /* reserved for local use */
#define LOG_LOCAL7 (23<<3) /* reserved for local use */
#define LOG_NFACILITIES 24 /* current number of facilities */
#define LOG_FACMASK 0x03f8 /* mask to extract facility part */
/* facility of pri */
#define LOG_FAC(p) (((p) & LOG_FACMASK) >> 3)
#ifdef SYSLOG_NAMES
CODE facilitynames[] = {
"auth", LOG_AUTH,
"authpriv", LOG_AUTHPRIV,
"cron", LOG_CRON,
"daemon", LOG_DAEMON,
"ftp", LOG_FTP,
"kern", LOG_KERN,
"lpr", LOG_LPR,
"mail", LOG_MAIL,
"mark", INTERNAL_MARK, /* INTERNAL */
"news", LOG_NEWS,
"security", LOG_AUTH, /* DEPRECATED */
"syslog", LOG_SYSLOG,
"user", LOG_USER,
"uucp", LOG_UUCP,
"local0", LOG_LOCAL0,
"local1", LOG_LOCAL1,
"local2", LOG_LOCAL2,
"local3", LOG_LOCAL3,
"local4", LOG_LOCAL4,
"local5", LOG_LOCAL5,
"local6", LOG_LOCAL6,
"local7", LOG_LOCAL7,
NULL, -1,
};
#endif
#ifdef KERNEL
#define LOG_PRINTF -1 /* pseudo-priority to indicate use of printf */
#endif
/*
* arguments to setlogmask.
*/
#define LOG_MASK(pri) (1 << (pri)) /* mask for one priority */
#define LOG_UPTO(pri) ((1 << ((pri)+1)) - 1) /* all priorities through pri */
/*
* Option flags for openlog.
*
* LOG_ODELAY no longer does anything.
* LOG_NDELAY is the inverse of what it used to be.
*/
#define LOG_PID 0x01 /* log the pid with each message */
#define LOG_CONS 0x02 /* log on the console if errors in sending */
#define LOG_ODELAY 0x04 /* delay open until first syslog() (default) */
#define LOG_NDELAY 0x08 /* don't delay open */
#define LOG_NOWAIT 0x10 /* don't wait for console forks: DEPRECATED */
#define LOG_PERROR 0x20 /* log to stderr as well */
#ifndef KERNEL
/*
* Don't use va_list in the vsyslog() prototype. Va_list is typedef'd in two
* places (<machine/varargs.h> and <machine/stdarg.h>), so if we include one
* of them here we may collide with the utility's includes. It's unreasonable
* for utilities to have to include one of them to include syslog.h, so we get
* _BSD_VA_LIST_ from <machine/ansi.h> and use it.
*/
#include <machine/ansi.h>
#include <sys/cdefs.h>
__BEGIN_DECLS
void closelog __P((void));
void openlog __P((const char *, int, int));
int setlogmask __P((int));
void syslog __P((int, const char *, ...));
void vsyslog __P((int, const char *, _BSD_VA_LIST_));
__END_DECLS
#endif /* !KERNEL */
- ------- syslog.c
/*
* Copyright (c) 1983, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)syslog.c 8.7 (Berkeley) 8/29/95";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <syslog.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#ifdef BSD4_4
# include <paths.h>
#else
# ifndef _PATH_CONSOLE
# define _PATH_CONSOLE "/dev/console"
# endif
# ifndef _PATH_LOG
# define _PATH_LOG "/dev/log"
# endif
#endif
#if __STDC__
# include <stdarg.h>
#else
# include <varargs.h>
# define const /* */
#endif
#ifndef USESNPRINTF
# if defined(BSD4_4)
# define USESNPRINTF 1 /* has snprintf(3), vsnprintf(3), etc. */
# else
# define USESNPRINTF 0 /* cheesy old C library */
# endif
#endif
#ifndef LOG_PERROR
# define LOG_PERROR 0
#endif
#define BUFSLOP 1024 /* overflow space */
static int LogFile = -1; /* fd for log */
static int connected; /* have done connect */
static int LogStat = 0; /* status bits, set by openlog() */
static const char *LogTag = NULL; /* string to tag the entry with */
static int LogFacility = LOG_USER; /* default facility code */
static int LogMask = 0xff; /* mask of priorities to be logged */
extern char *__progname; /* Program name, from crt0. */
/*
* syslog, vsyslog --
* print message on log file; output is intended for syslogd(8).
*/
void
#if __STDC__
syslog(int pri, const char *fmt, ...)
#else
syslog(pri, fmt, va_alist)
int pri;
char *fmt;
va_dcl
#endif
{
va_list ap;
extern void vsyslog();
#if __STDC__
va_start(ap, fmt);
#else
va_start(ap);
#endif
vsyslog(pri, fmt, ap);
va_end(ap);
}
void
vsyslog(pri, fmt, ap)
int pri;
register const char *fmt;
va_list ap;
{
register int cnt;
register char ch, *p, *t;
time_t now;
int fd, saved_errno;
int panic = 0;
static int maxsend = BUFSIZ;
char *stdp, fmt_cpy[1024], tbuf[BUFSIZ + BUFSLOP];
extern void openlog();
#define INTERNALLOG LOG_ERR|LOG_CONS|LOG_PERROR|LOG_PID
/* Check for invalid bits. */
if (pri & ~(LOG_PRIMASK|LOG_FACMASK)) {
syslog(INTERNALLOG,
"syslog: unknown facility/priority: %x", pri);
pri &= LOG_PRIMASK|LOG_FACMASK;
}
/* Check priority against setlogmask values. */
if (!(LOG_MASK(LOG_PRI(pri)) & LogMask))
return;
saved_errno = errno;
/* Set default facility if none specified. */
if ((pri & LOG_FACMASK) == 0)
pri |= LogFacility;
/* Get connected. */
if (!connected)
openlog(LogTag, LogStat | LOG_NDELAY, 0);
/* Build the message. */
(void)time(&now);
sprintf(tbuf, "<%d>", pri);
p = tbuf + strlen(tbuf);
strftime(p, sizeof (tbuf) - (p - tbuf), "%h %e %T ", localtime(&now));
p += strlen(p);
stdp = p;
if (LogTag == NULL)
LogTag = __progname;
if (LogTag != NULL) {
sprintf(p, "%s", LogTag);
p += strlen(p);
}
if (LogStat & LOG_PID) {
sprintf(p, "[%d]", getpid());
p += strlen(p);
}
if (LogTag != NULL) {
*p++ = ':';
*p++ = ' ';
}
/* Substitute error message for %m. */
for (t = fmt_cpy; ch = *fmt; ++fmt)
if (ch == '%' && fmt[1] == 'm') {
++fmt;
sprintf(t, "%s", strerror(saved_errno));
t += strlen(t);
} else
*t++ = ch;
*t = '\0';
#if USESNPRINTF
cnt = maxsend - (p - tbuf) + 1;
p += vsnprintf(p, cnt, fmt_cpy, ap);
cnt = p - tbuf;
#else
p += vsprintf(p, fmt_cpy, ap);
cnt = p - tbuf;
if (cnt > sizeof tbuf) {
/* Panic condition. */
panic = 1;
}
if (cnt > maxsend)
cnt = maxsend;
#endif
/* Output to stderr if requested. */
if (LogStat & LOG_PERROR) {
struct iovec iov[2];
register struct iovec *v = iov;
v->iov_base = stdp;
v->iov_len = cnt - (stdp - tbuf);
++v;
v->iov_base = "\n";
v->iov_len = 1;
(void)writev(STDERR_FILENO, iov, 2);
}
/* Output the message to the local logger. */
for (;;) {
if (send(LogFile, tbuf, cnt, 0) >= 0)
goto done;
if (errno != EMSGSIZE || maxsend <= 256)
break;
/* Message was too large -- back it off. */
do {
maxsend -= 128;
} while (cnt < maxsend && maxsend > 256);
cnt = maxsend;
}
/*
* Output the message to the console; don't worry about blocking,
* if console blocks everything will. Make sure the error reported
* is the one from the syslogd failure.
*/
if (LogStat & LOG_CONS &&
(fd = open(_PATH_CONSOLE, O_WRONLY, 0)) >= 0) {
(void)strcat(tbuf, "\r\n");
cnt += 2;
p = strchr(tbuf, '>') + 1;
(void)write(fd, p, cnt - (p - tbuf));
(void)close(fd);
}
done:
#if !USESNPRINTF
/*
* If we had a buffer overrun, log a panic and abort.
* We can't return because our stack is probably toast.
*/
if (panic) {
syslog(LOG_EMERG, "SYSLOG BUFFER OVERRUN -- EXITING");
abort();
}
#endif
}
static struct sockaddr SyslogAddr; /* AF_UNIX address of local logger */
void
openlog(ident, logstat, logfac)
const char *ident;
int logstat, logfac;
{
if (ident != NULL)
LogTag = ident;
LogStat = logstat;
if (logfac != 0 && (logfac &~ LOG_FACMASK) == 0)
LogFacility = logfac;
if (LogFile == -1) {
SyslogAddr.sa_family = AF_UNIX;
(void)strncpy(SyslogAddr.sa_data, _PATH_LOG,
sizeof(SyslogAddr.sa_data));
if (LogStat & LOG_NDELAY) {
if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1)
return;
(void)fcntl(LogFile, F_SETFD, 1);
}
}
if (LogFile != -1 && !connected)
if (connect(LogFile, &SyslogAddr, sizeof(SyslogAddr)) == -1) {
(void)close(LogFile);
LogFile = -1;
} else
connected = 1;
}
void
closelog()
{
(void)close(LogFile);
LogFile = -1;
connected = 0;
}
/* setlogmask -- set the log mask level */
int
setlogmask(pmask)
int pmask;
{
int omask;
omask = LogMask;
if (pmask != 0)
LogMask = pmask;
return (omask);
}
------- End of Forwarded Message