Bug 137502 - CAN-2005-1061 logwatch log processing regular expression DoS
Summary: CAN-2005-1061 logwatch log processing regular expression DoS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: logwatch
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jiri Ryska
QA Contact:
URL:
Whiteboard: reported=20030418,public=20041028,imp...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-28 21:37 UTC by Josh Bressers
Modified: 2007-11-30 22:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-19 18:33:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:364 0 normal SHIPPED_LIVE Moderate: logwatch security update 2005-04-19 04:00:00 UTC

Internal Links: 157116

Description Josh Bressers 2004-10-28 21:37:13 UTC
This was reported to security on 2003-04-18

/etc/log.d/scripts/services/secure contains this code (around line 88):

  while (defined($ThisLine = <STDIN>)) {
     chomp($ThisLine);
     $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;
     my $temp = $ThisLine;
X    $temp =~ s/^([^[]+).*/$1/;
     #print "Ignore: $Ignore [temp: $temp]\n";
Y    if ($Ignore =~ /$temp/i) {
        next;
     }

The key is in the lines X and Y.  It copies some text from the
logfile; anything in the log line *after* the date stamp and *before*
a "[" char.


It's still possible to use something like this:

  logger -p authpriv.notice '+++ connection closed by localhost +++'

That looks relatively "normal", but will result in the "secure" parser
script crashing, outputting something like this:

  Nested quantifiers in regex; marked by <-- HERE in m/++ <-- HERE  +
connection +closed by localhost +++/ at 
etc/log.d/scripts/services/secure line 88, <STDIN>
+line 1.

And any further syslog entries in the file are ignored, which could be
handy for an attacker to "hide" their attacks from the admin.  
However, nowhere near as scary as a remote- or local-root exploit. ;)

Fix:

- change

     if ($Ignore =~ /$temp/i) {

  to

     if ($Ignore =~ /\Q$temp\E/i) {

  in /etc/log.d/scripts/services/secure.   This will stop any regexp
  metachars in the syslog data from being used by Perl.

- This script, and other perl scripts in the logwatch pkg, should run
with -T for perl's taint mode, as it is handling untrusted data (the
syslog).  That would have indicated the presence of this bug.

Comment 1 Josh Bressers 2004-11-26 16:13:24 UTC
ping on this issue

Comment 5 Jay Turner 2005-04-09 10:45:54 UTC
Fix confirmed in logwatch-2.6-2.EL2.

Comment 6 Josh Bressers 2005-04-19 18:33:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-364.html



Note You need to log in before you can comment on or make changes to this bug.