RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1369462 - rsyslogd/syslog terminal escape sequences injection
Summary: rsyslogd/syslog terminal escape sequences injection
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rsyslog
Version: 7.4
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jiří Vymazal
QA Contact: Stefan Dordevic
URL:
Whiteboard:
Depends On: rsyslog-rhel74-rebase
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-23 13:23 UTC by Federico Manuel Bento
Modified: 2017-05-11 13:49 UTC (History)
8 users (show)

Fixed In Version: rsyslog-8.24.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-26 15:09:35 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rsyslog rsyslog issues 1138 0 None closed terminal escape sequences injection 2020-12-12 10:34:18 UTC

Description Federico Manuel Bento 2016-08-23 13:23:25 UTC
Hi,

It seems to me that it is possible to inject terminal escape sequences into log files via syslog(3)

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L10] (20141107/evgpe-581)

$ logger `printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'`

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while evaluating GPE method [_L10] (20141107/evgpe-581)
Aug 23 13:50:39 ghetto saken: HELLO


On the (*) line, the escape sequence changed its contents, meaning that an unprivileged user can take advantage of this to hide their presence on the system, for example.


While researching this, I found that rsyslogd has "$EscapeControlCharactersOnReceive" which claims that is on by default and that "The intent is to provide a way to stop non-printable messages from entering the syslog system as whole."

On my system, this does not seem to be true, and actually went ahead and added "$EscapeControlCharactersOnReceive on" to the /etc/rsyslog.conf file, restarted rsyslog and the problem still persists.

I am using rsyslogd 7.4.8

Thanks,
Federico Bento.

Comment 3 Jiří Vymazal 2017-01-02 13:21:58 UTC
linked blocking issue, this is fixed in upstream version 8, linked upstream issue as well

Comment 10 Stefan Dordevic 2017-03-08 16:36:26 UTC
Federico, 

Can you provide exact package version you have been using when you find this issue ?
Or at least if it was Fedora or RHEL.

Thank you.

Comment 11 Federico Manuel Bento 2017-03-10 13:36:43 UTC
Hi,

I was running Fedora 20 at the time.

Comment 13 Stefan Dordevic 2017-04-18 09:07:11 UTC
Jiri,

My finding was that rsyslog was behaving as expected in RHEL. 
Seems to me that this "$EscapeControlCharactersOnReceive" option is doing exactly what was meant to.
And as commented, I could not reproduce this "misbehave" described in this issue in RHEL at all. In other words switch seems to be working as expected.
That's why I ask reporter to confirm was this discovered on RHEL or Fedora.

Anyway, comments like "this is fixed in v8/rebase" really don't help when it comes to reproduce the issue.
Prove me wrong, but for me this issue should be addressed to Fedora in the first place.

Comment 15 Stefan Dordevic 2017-04-26 15:09:35 UTC
As described in my previous comments, this issue seems not to be present in RHEL-7.x
Closing it as "NOTABUG"

Comment 16 Karel Srot 2017-05-03 18:36:25 UTC
I am making relevant comments public so the reporter can read why the bug was closed.


Note You need to log in before you can comment on or make changes to this bug.