Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 191 - Syslogd Vulnerable
Summary: Syslogd Vulnerable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sysklogd
Version: 5.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1998-11-25 01:59 UTC by jay
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 1998-11-25 15:01:24 UTC
Embargoed:


Attachments (Terms of Use)

Description jay 1998-11-25 01:59:22 UTC
As near as I can tell, syslog 1.3-3 as included in Redhat
5.0 has a vulnerability.
Today, Nov 24 at 13:52 I did a 'tail -f ' of /var/log
messages and recieved
several lines up to and including the following.

Nov 22 21:39:52 texnet identd[29833]: Successful lookup:
29493 , 25 :root.root
Nov 22 21:40:06 texnet identd[29834]: from: 209.82.95.249 (
dingo1 ) for:29554, 25
Nov 22 21:40:06 texnet identd[29834]: Successful lookup:
29554 , 25 :root.root

It seemed very suspicious that the last message was two days
old.

Then I did a killall -HUP syslogd and the following content
appeared:


Nov 22 21:49:39 texnet syslogd: Cannot glue message parts
together
Nov 22 21:49:39 texnet
^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-
Nov 22 21:50:18 texnet named[1590]: secondary zone
"ke.com.au" expired
Nov 22 21:50:46 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 22 21:51:42 texnet identd[29870]: Successful lookup:
29746 , 21 :
root.root
Nov 24 13:40:43 texnet syslogd 1.3-3: restart.
Nov 24 13:44:05 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 24 13:52:08 texnet identd[12154]: from: 209.68.1.103 (
anga.pair.com )
for: 4156, 25
Nov 24 13:52:08 texnet identd[12154]: Successful lookup:
4156 , 25 :
root.root
Nov 24 14:07:02 texnet identd[12222]: from: 206.152.242.100
(
www.spectreint.com ) for: 4166, 25

At the same time my system has been compromised.  It would
appear that the bogus message sent to syslog caused it to
puke, but stay resident (in sleep state) , so my usual
checks appeared to be successful, with no anomalies. The
cracker then had two days of unlogged access to
do other tasks.  I believe he use the NFS hole to get in.

With the kill of syslogd then he could sign in and not have
the connection source logged.  I've turned off password to
ssh and turned off all but pop3 and ftp access, but I think
I need some help and pointers on securing this system.

Comment 1 Aleksey Nogin 1998-11-25 07:03:59 UTC
You should consider subscribing to redhat-watch-list or
redhat-announce-list.
There was a security update of sysklogd RPM about a week ago...

Comment 2 Preston Brown 1998-11-25 15:01:59 UTC
fixed by an errata release.  Please check out updates.redhat.com
before posting bugs.


Note You need to log in before you can comment on or make changes to this bug.