Bug 18779 - Denial of service attack in logrotate/samba interaction
Summary: Denial of service attack in logrotate/samba interaction
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logrotate
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Erik Troan
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-10 07:47 UTC by Need Real Name
Modified: 2007-04-18 16:29 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-10-24 17:12:55 UTC
Embargoed:


Attachments (Terms of Use)

Description Need Real Name 2000-10-10 07:47:17 UTC
I have noticed the following scenario that can be used in a Denial Of Service attack if you have both logrotate (logrotate-3.3.2-1.i386.rpm) and 
samba 2.0.7-4 installed in a RedHat 6.2 server.

If you connect (or try to connect) to this samba server, the following file gets created:

/var/log/samba/log.name_of_machine

If the name of the machine has blanks in it: "best in th west", for example, you get a file like this:

/var/log/samba/log.best in th west

When logrotate gets executed, it find a line like this 

/var/log/samba/log.best in th west 2000-9-28

in 

/var/lib/logrotate.status

So when executed it says

error: bad line 195 in state file /var/lib/logrotate.status

And doesn't work. So you log files, grow, grow, grow.....

You eventually get flooded. Perhaps people are running servers with more hd space than mine, but this has happened to me (I really don't know 
if it has been an attack or simply a creative user, as I don't have find the user here)


	Regards

	Eduardo

Comment 1 tom 2000-10-24 17:12:52 UTC
I have run into the same problem on one of my servers (in my case, the log was 
"log.virtual pc".  Additionally, logrotate has not rotated log.inspiron7500 (I assume due 
to the name ending in a digit).

It appears that a user could use a hostname like "fred.0" to create a log file that will 
never get rotated out and could continue to grow in size unchecked.

One final problem, related more to samba than logrotate, is that machine logs with a 
machine name of 'smb' or 'nmb' will pollute the standard log.smb and log.nmb logfiles.

Comment 2 Preston Brown 2001-06-21 19:32:53 UTC
Both of these bugs are fixed with newer versions of logrotate.  Logrotate as shipped 
with Red Hat Linux (3.5.4) does not have problems with logfiles with spaces in the 
names, nor logs ending with numbers.



Note You need to log in before you can comment on or make changes to this bug.