Bug 1369462 - rsyslogd/syslog terminal escape sequences injection
Summary: rsyslogd/syslog terminal escape sequences injection
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rsyslog
Version: 7.4
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jiří Vymazal
QA Contact: Stefan Dordevic
URL:
Whiteboard:
Depends On: rsyslog-rhel74-rebase
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-23 13:23 UTC by Federico Manuel Bento
Modified: 2017-05-11 13:49 UTC (History)
8 users (show)

Fixed In Version: rsyslog-8.24.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-26 15:09:35 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rsyslog rsyslog issues 1138 0 None closed terminal escape sequences injection 2020-12-12 10:34:18 UTC

Description Federico Manuel Bento 2016-08-23 13:23:25 UTC
Hi,

It seems to me that it is possible to inject terminal escape sequences into log files via syslog(3)

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L10] (20141107/evgpe-581)

$ logger `printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'`

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while evaluating GPE method [_L10] (20141107/evgpe-581)
Aug 23 13:50:39 ghetto saken: HELLO


On the (*) line, the escape sequence changed its contents, meaning that an unprivileged user can take advantage of this to hide their presence on the system, for example.


While researching this, I found that rsyslogd has "$EscapeControlCharactersOnReceive" which claims that is on by default and that "The intent is to provide a way to stop non-printable messages from entering the syslog system as whole."

On my system, this does not seem to be true, and actually went ahead and added "$EscapeControlCharactersOnReceive on" to the /etc/rsyslog.conf file, restarted rsyslog and the problem still persists.

I am using rsyslogd 7.4.8

Thanks,
Federico Bento.

Comment 3 Jiří Vymazal 2017-01-02 13:21:58 UTC
linked blocking issue, this is fixed in upstream version 8, linked upstream issue as well

Comment 10 Stefan Dordevic 2017-03-08 16:36:26 UTC
Federico, 

Can you provide exact package version you have been using when you find this issue ?
Or at least if it was Fedora or RHEL.

Thank you.

Comment 11 Federico Manuel Bento 2017-03-10 13:36:43 UTC
Hi,

I was running Fedora 20 at the time.

Comment 13 Stefan Dordevic 2017-04-18 09:07:11 UTC
Jiri,

My finding was that rsyslog was behaving as expected in RHEL. 
Seems to me that this "$EscapeControlCharactersOnReceive" option is doing exactly what was meant to.
And as commented, I could not reproduce this "misbehave" described in this issue in RHEL at all. In other words switch seems to be working as expected.
That's why I ask reporter to confirm was this discovered on RHEL or Fedora.

Anyway, comments like "this is fixed in v8/rebase" really don't help when it comes to reproduce the issue.
Prove me wrong, but for me this issue should be addressed to Fedora in the first place.

Comment 15 Stefan Dordevic 2017-04-26 15:09:35 UTC
As described in my previous comments, this issue seems not to be present in RHEL-7.x
Closing it as "NOTABUG"

Comment 16 Karel Srot 2017-05-03 18:36:25 UTC
I am making relevant comments public so the reporter can read why the bug was closed.


Note You need to log in before you can comment on or make changes to this bug.