Bug 1369462

Summary: rsyslogd/syslog terminal escape sequences injection
Product: Red Hat Enterprise Linux 7 Reporter: Federico Manuel Bento <up201407890>
Component: rsyslogAssignee: Jiří Vymazal <jvymazal>
Status: CLOSED NOTABUG QA Contact: Stefan Dordevic <sdordevi>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: dapospis, jvymazal, mgrepl, mhaicman, pvrabec, rsroka, sdordevi, up201407890
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: rsyslog-8.24.0-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-26 15:09:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1313490    
Bug Blocks:    

Description Federico Manuel Bento 2016-08-23 13:23:25 UTC 
Hi,

It seems to me that it is possible to inject terminal escape sequences into log files via syslog(3)

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L10] (20141107/evgpe-581)

$ logger `printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'`

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while evaluating GPE method [_L10] (20141107/evgpe-581)
Aug 23 13:50:39 ghetto saken: HELLO


On the (*) line, the escape sequence changed its contents, meaning that an unprivileged user can take advantage of this to hide their presence on the system, for example.


While researching this, I found that rsyslogd has "$EscapeControlCharactersOnReceive" which claims that is on by default and that "The intent is to provide a way to stop non-printable messages from entering the syslog system as whole."

On my system, this does not seem to be true, and actually went ahead and added "$EscapeControlCharactersOnReceive on" to the /etc/rsyslog.conf file, restarted rsyslog and the problem still persists.

I am using rsyslogd 7.4.8

Thanks,
Federico Bento.
Comment 3 Jiří Vymazal 2017-01-02 13:21:58 UTC 
linked blocking issue, this is fixed in upstream version 8, linked upstream issue as well
Comment 10 Stefan Dordevic 2017-03-08 16:36:26 UTC 
Federico, 

Can you provide exact package version you have been using when you find this issue ?
Or at least if it was Fedora or RHEL.

Thank you.
Comment 11 Federico Manuel Bento 2017-03-10 13:36:43 UTC 
Hi,

I was running Fedora 20 at the time.
Comment 13 Stefan Dordevic 2017-04-18 09:07:11 UTC 
Jiri,

My finding was that rsyslog was behaving as expected in RHEL. 
Seems to me that this "$EscapeControlCharactersOnReceive" option is doing exactly what was meant to.
And as commented, I could not reproduce this "misbehave" described in this issue in RHEL at all. In other words switch seems to be working as expected.
That's why I ask reporter to confirm was this discovered on RHEL or Fedora.

Anyway, comments like "this is fixed in v8/rebase" really don't help when it comes to reproduce the issue.
Prove me wrong, but for me this issue should be addressed to Fedora in the first place.
Comment 15 Stefan Dordevic 2017-04-26 15:09:35 UTC 
As described in my previous comments, this issue seems not to be present in RHEL-7.x
Closing it as "NOTABUG"
Comment 16 Karel Srot 2017-05-03 18:36:25 UTC 
I am making relevant comments public so the reporter can read why the bug was closed.