Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 191

Summary:	Syslogd Vulnerable
Product:	[Retired] Red Hat Linux	Reporter:	jay
Component:	sysklogd	Assignee:	Preston Brown <pbrown>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	5.0	Keywords:	Security
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	1998-11-25 15:01:24 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description jay 1998-11-25 01:59:22 UTC

As near as I can tell, syslog 1.3-3 as included in Redhat
5.0 has a vulnerability.
Today, Nov 24 at 13:52 I did a 'tail -f ' of /var/log
messages and recieved
several lines up to and including the following.

Nov 22 21:39:52 texnet identd[29833]: Successful lookup:
29493 , 25 :root.root
Nov 22 21:40:06 texnet identd[29834]: from: 209.82.95.249 (
dingo1 ) for:29554, 25
Nov 22 21:40:06 texnet identd[29834]: Successful lookup:
29554 , 25 :root.root

It seemed very suspicious that the last message was two days
old.

Then I did a killall -HUP syslogd and the following content
appeared:


Nov 22 21:49:39 texnet syslogd: Cannot glue message parts
together
Nov 22 21:49:39 texnet
^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-
Nov 22 21:50:18 texnet named[1590]: secondary zone
"ke.com.au" expired
Nov 22 21:50:46 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 22 21:51:42 texnet identd[29870]: Successful lookup:
29746 , 21 :
root.root
Nov 24 13:40:43 texnet syslogd 1.3-3: restart.
Nov 24 13:44:05 texnet named[1590]: Err/TO getting serial#
for "ke.com.au"
Nov 24 13:52:08 texnet identd[12154]: from: 209.68.1.103 (
anga.pair.com )
for: 4156, 25
Nov 24 13:52:08 texnet identd[12154]: Successful lookup:
4156 , 25 :
root.root
Nov 24 14:07:02 texnet identd[12222]: from: 206.152.242.100
(
www.spectreint.com ) for: 4166, 25

At the same time my system has been compromised.  It would
appear that the bogus message sent to syslog caused it to
puke, but stay resident (in sleep state) , so my usual
checks appeared to be successful, with no anomalies. The
cracker then had two days of unlogged access to
do other tasks.  I believe he use the NFS hole to get in.

With the kill of syslogd then he could sign in and not have
the connection source logged.  I've turned off password to
ssh and turned off all but pop3 and ftp access, but I think
I need some help and pointers on securing this system.

Comment 1 Aleksey Nogin 1998-11-25 07:03:59 UTC

You should consider subscribing to redhat-watch-list or
redhat-announce-list.
There was a security update of sysklogd RPM about a week ago...

Comment 2 Preston Brown 1998-11-25 15:01:59 UTC

fixed by an errata release.  Please check out updates.redhat.com
before posting bugs.