Hi, If anyone comes up with diffs to SunOS syslog() source for those who have source access, or a replacement syslog.c routine to build into libc, please post. -Mark Forwarded message: > From <@punt.demon.co.uk,@bagpuss.demon.co.uk:owner-8lgm-advisories@8lgm.org> Mon Aug 28 23:24:24 1995 > From: "[8LGM] Security Team" <8lgm@8lgm.org> > Message-Id: <199508290133.CAA15517@8lgm.org> > Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 > To: 8lgm-advisories@8lgm.org, bugtraq@crimelab.com, firewalls@greatcircle.com > Date: Tue, 29 Aug 1995 02:33:37 +0100 (BST) > X-Mailer: ELM [version 2.4 PL23] > Content-Type: text > Content-Length: 4460 > > ============================================================================= > Virtual Domain Hosting Services provided by The FOURnet Information Network > mail webserv@FOUR.net or see http://www.four.net > ============================================================================= > [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 > > VULNERABLE PROGRAMS: > > All programs calling syslog(3) with user supplied data, without > checking argument lengths. > > KNOWN VULNERABLE PLATFORMS: > > SunOS 4.1.* > > KNOWN SECURE PLATFORMS: > > None at present. > > DESCRIPTION: > > syslog(3) uses an internal buffer to build messages. However > it performs no bound checking, and relies on the caller to > check arguments passed to it. > > IMPACT: > > Local and remote users can obtain root access. > > REPEAT BY: > > We have written an example exploit to overwrite syslog(3)'s > internal buffer using SunOS sendmail(8). However due to the > severity of this problem, this code will not be made available > to anyone at this time. Please note that the exploit was fairly > straightforward to put together, therefore expect exploits to be > widely available soon after the release of this advisory. > > Here is a edited sample of using a modified telnet client to > obtain a root shell through SunOS sendmail(8) on a sparc > based machine. > > legless[8lgm]% syslog_telnet localhost smtp > Trying 127.0.0.1 ... > Connected to localhost. > Escape character is '^]'. > 220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\ > 27 Aug 95 15:56:27 BST > mail from: root > 250 root... Sender ok > rcpt to: root > 250 root... Recipient ok > data > 354 Enter mail, end with "." on a line by itself > ^] > syslog_telnet> > > ### At this point, we provide some information to the modified > ### telnet client about the remote host. Then sparc instructions > ### are sent over the link within the body of the message to > ### execute a shell. > ### > ### As soon as data is finished (with .), sendmail will eventually > ### report, through syslog(3), data about this message. syslog's > ### internal buffer will be overwritten, and our supplied > ### instructions are executed. > > Hit <cr>, then .<cr> > > . > /usr/bin/id; > uid=0(root) gid=0(wheel) groups=0(wheel) > /bin/sh: ^M: not found > uptime; > 3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00 > /bin/sh: ^M: not found > exit; > Connection closed by foreign host. > > ### Here we can see that sendmail has execed a shell as root, > ### and that we can type commands. (lines ending in ; are > ### user input through the telnet client). > ### > ### This exploit could be further expanded upon to encapsulate > ### instructions within the body of a message, which can then > ### be mailed out to a site (ie without the necessity to connect > ### directly to the smtp port). This may be used to bypass > ### firewalls. > > WORKAROUNDS: > > We have two methods to ensure that syslog(3) can not be used in > the above manner. > > Fix syslog(3), to perform bound checking. Shared libraries > can be then fixed to use the new function. Statically linked > programs will require rebuilding. > > Alternatively, ensure all calls to syslog(3), by all programs, > check all arguments passed to syslog(3). > > Ideally both of the above should be implemented. > > FIX: > > Contact vendors for fixes. > > STATUS UPDATE: > > The file: > > [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README > > will be created on www.8lgm.org. This will contain updates on > any further versions which are found to be vulnerable, and any > other information received pertaining to this advisory. > > ----------------------------------------------------------------------- > > FEEDBACK AND CONTACT INFORMATION: > > majordomo@8lgm.org (Mailing list requests - try 'help' > for details) > > 8lgm@8lgm.org (Everything else) > > 8LGM FILESERVER: > > All [8LGM] advisories may be obtained via the [8LGM] fileserver. > For details, 'echo help | mail 8lgm-fileserver@8lgm.org' > > 8LGM WWW SERVER: > > [8LGM]'s web server can be reached at http://www.8lgm.org. > This contains details of all 8LGM advisories and other useful > information. > =========================================================================== > -- > ----------------------------------------------------------------------- > $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) > majordomo@8lgm.org (Request to be added to list) > 8lgm@8lgm.org (General enquiries) > ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** > -- Mark G. Thomas (Mark@Misty.com)