191 – Syslogd Vulnerable

Bug 191 - Syslogd Vulnerable

Summary: Syslogd Vulnerable

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	sysklogd
Sub Component:
Version:	5.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Preston Brown
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	1998-11-25 01:59 UTC by jay
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	1998-11-25 15:01:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description jay 1998-11-25 01:59:22 UTC

As near as I can tell, syslog 1.3-3 as included in Redhat
5.0 has a vulnerability.
Today, Nov 24 at 13:52 I did a 'tail -f ' of /var/log
messages and recieved
several lines up to and including the following.

Nov 22 21:39:52 texnet identd[29833]: Successful lookup:
29493 , 25 :root.root
Nov 22 21:40:06 texnet identd[29834]: from: 209.82.95.249 (
dingo1 ) for:29554, 25
Nov 22 21:40:06 texnet identd[29834]: Successful lookup:
29554 , 25 :root.root

It seemed very suspicious that the last message was two days
old.

Then I did a killall -HUP syslogd and the following content
appeared:


Nov 22 21:49:39 texnet syslogd: Cannot glue message parts
together
Nov 22 21:49:39 texnet
^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-
Nov 22 21:50:18 texnet named[1590]: secondary zone
"ke.com.au" expired
Nov 22 21:50:46 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 22 21:51:42 texnet identd[29870]: Successful lookup:
29746 , 21 :
root.root
Nov 24 13:40:43 texnet syslogd 1.3-3: restart.
Nov 24 13:44:05 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 24 13:52:08 texnet identd[12154]: from: 209.68.1.103 (
anga.pair.com )
for: 4156, 25
Nov 24 13:52:08 texnet identd[12154]: Successful lookup:
4156 , 25 :
root.root
Nov 24 14:07:02 texnet identd[12222]: from: 206.152.242.100
(
www.spectreint.com ) for: 4166, 25

At the same time my system has been compromised.  It would
appear that the bogus message sent to syslog caused it to
puke, but stay resident (in sleep state) , so my usual
checks appeared to be successful, with no anomalies. The
cracker then had two days of unlogged access to
do other tasks.  I believe he use the NFS hole to get in.

With the kill of syslogd then he could sign in and not have
the connection source logged.  I've turned off password to
ssh and turned off all but pop3 and ftp access, but I think
I need some help and pointers on securing this system.

Comment 1 Aleksey Nogin 1998-11-25 07:03:59 UTC

You should consider subscribing to redhat-watch-list or
redhat-announce-list.
There was a security update of sysklogd RPM about a week ago...

Comment 2 Preston Brown 1998-11-25 15:01:59 UTC

fixed by an errata release.  Please check out updates.redhat.com
before posting bugs.

Note You need to log in before you can comment on or make changes to this bug.