Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Possible syslogd DoS ?

Re: Possible syslogd DoS ?

From: Crist J. Clark <cristjc_at_earthlink.net>
Date: Wed, 3 Oct 2001 23:10:33 -0700

On Wed, Oct 03, 2001 at 08:09:58PM +0200, Petr Baudis wrote:
> Hello,
> I just recently came on a thought (thanks to Marek Jaros) of possible
> DoS of syslogd. It uses /dev/log for receiving log messages, which has
> mode 0666 on most linuxes. It should be ok, as many non-root applications
> should be allowed to log things etc.

[snip]

> Discussion? Something i didn't take into account? Possible solutions?

To paraphrase an old quote, syslog is basically an unauthenticated
disk filling utility.

  #!/bin/sh

  while :; do

    logger "This is message one."
    logger "This is message two."

  done

On a system with untrusted users, you may need to do some special
configuration (change permissions on the log socket, make sure the
filling the partitions syslog writes to are not fatal, etc.).

This is a well known vulnerability of the syslog system, but is often
overlooked due to greater concerns over remote disk filling
possibilities. 

-- 
Crist J. Clark                           cjclark_at_alum.mit.edu
                                         cjclark_at_jhu.edu
                                         cjc_at_freebsd.org
Received on Oct 04 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos