Bug 191 - Syslogd Vulnerable
Syslogd Vulnerable
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: sysklogd (Show other bugs)
5.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Preston Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1998-11-24 20:59 EST by jay
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1998-11-25 10:01:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jay 1998-11-24 20:59:22 EST
As near as I can tell, syslog 1.3-3 as included in Redhat
5.0 has a vulnerability.
Today, Nov 24 at 13:52 I did a 'tail -f ' of /var/log
messages and recieved
several lines up to and including the following.

Nov 22 21:39:52 texnet identd[29833]: Successful lookup:
29493 , 25 :root.root
Nov 22 21:40:06 texnet identd[29834]: from: 209.82.95.249 (
dingo1 ) for:29554, 25
Nov 22 21:40:06 texnet identd[29834]: Successful lookup:
29554 , 25 :root.root

It seemed very suspicious that the last message was two days
old.

Then I did a killall -HUP syslogd and the following content
appeared:


Nov 22 21:49:39 texnet syslogd: Cannot glue message parts
together
Nov 22 21:49:39 texnet
^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-
Nov 22 21:50:18 texnet named[1590]: secondary zone
"ke.com.au" expired
Nov 22 21:50:46 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 22 21:51:42 texnet identd[29870]: Successful lookup:
29746 , 21 :
root.root
Nov 24 13:40:43 texnet syslogd 1.3-3: restart.
Nov 24 13:44:05 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 24 13:52:08 texnet identd[12154]: from: 209.68.1.103 (
anga.pair.com )
for: 4156, 25
Nov 24 13:52:08 texnet identd[12154]: Successful lookup:
4156 , 25 :
root.root
Nov 24 14:07:02 texnet identd[12222]: from: 206.152.242.100
(
www.spectreint.com ) for: 4166, 25

At the same time my system has been compromised.  It would
appear that the bogus message sent to syslog caused it to
puke, but stay resident (in sleep state) , so my usual
checks appeared to be successful, with no anomalies. The
cracker then had two days of unlogged access to
do other tasks.  I believe he use the NFS hole to get in.

With the kill of syslogd then he could sign in and not have
the connection source logged.  I've turned off password to
ssh and turned off all but pop3 and ftp access, but I think
I need some help and pointers on securing this system.
Comment 1 Aleksey Nogin 1998-11-25 02:03:59 EST
You should consider subscribing to redhat-watch-list or
redhat-announce-list.
There was a security update of sysklogd RPM about a week ago...
Comment 2 Preston Brown 1998-11-25 10:01:59 EST
fixed by an errata release.  Please check out updates.redhat.com
before posting bugs.

Note You need to log in before you can comment on or make changes to this bug.