|
Line 0
Link Here
|
|
|
1 |
From 43797330e75d7d4687b7ae6926a996c3c85c2679 Mon Sep 17 00:00:00 2001 |
| 2 |
From: mancha <mancha1 AT zoho DOT com> |
| 3 |
Date: Wed, 1 Oct 2014 |
| 4 |
Subject: CVE-2014-3634 |
| 5 |
|
| 6 |
Rainer Gerhards, rsyslog project leader, discovered an issue in rsyslogd |
| 7 |
where invalid priority values can trigger DoS and potentially RCE. |
| 8 |
|
| 9 |
As his analysis reveals, the cause of the problem identified in rsyslog's |
| 10 |
rsyslogd also exists in sysklogd's syslogd (from which rsyslogd was forked) |
| 11 |
and stems from the use of a (LOG_FACMASK|LOG_PRIMASK) mask to detect invalid |
| 12 |
priority values. |
| 13 |
|
| 14 |
In sysklogd's syslogd, invalid priority values between 192 and 1023 (directly |
| 15 |
or arrived at via overflow wraparound) can propagate through code causing |
| 16 |
out-of-bounds access to the f_pmask array within the 'filed' structure by up |
| 17 |
to 104 bytes past its end. Though most likely insufficient to reach |
| 18 |
unallocated memory because there are around 544 bytes past f_pmask in 'filed' |
| 19 |
(mod packing and other differences), incorrect access of fields at higher |
| 20 |
positions of the 'filed' structure definition can cause unexpected behavior |
| 21 |
including message mis-classification, forwarding issues, message loss, |
| 22 |
or other. |
| 23 |
|
| 24 |
This patch imposes a restriction on PRI message parts and requires they |
| 25 |
be properly-delimited priority value strings that have non-negative |
| 26 |
numerical values not exceeding 191. As before, sysklogd's syslogd permits |
| 27 |
zero padding to not break compatibility with RFC-non-compliant loggers that |
| 28 |
issue PRIs such as <0091>. Messages without well-formed PRI parts get |
| 29 |
logged with priority user.notice (13). (c.f. RFC 3164) |
| 30 |
|
| 31 |
Thanks to Rainer Gerhards for the initial report and analysis. |
| 32 |
|
| 33 |
[1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ |
| 34 |
[2] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ |
| 35 |
|
| 36 |
--- |
| 37 |
syslogd.c | 25 +++++++++++++++++++------ |
| 38 |
1 file changed, 19 insertions(+), 6 deletions(-) |
| 39 |
|
| 40 |
--- a/syslogd.c |
| 41 |
+++ b/syslogd.c |
| 42 |
@@ -632,6 +632,8 @@ int funix[MAXFUNIX] = { -1, }; |
| 43 |
#define TABLE_ALLPRI 0xFF /* Value to indicate all priorities in f_pmask */ |
| 44 |
#define LOG_MARK LOG_MAKEPRI(LOG_NFACILITIES, 0) /* mark "facility" */ |
| 45 |
|
| 46 |
+#define MAX_PRI 191 /* Maximum Priority per RFC 3164 */ |
| 47 |
+ |
| 48 |
/* |
| 49 |
* Flags to logmsg(). |
| 50 |
*/ |
| 51 |
@@ -1491,23 +1493,34 @@ void printline(hname, msg) |
| 52 |
register char *p, *q; |
| 53 |
register unsigned char c; |
| 54 |
char line[MAXLINE + 1]; |
| 55 |
- int pri; |
| 56 |
+ unsigned int pri; // Valid Priority values are 0-191 |
| 57 |
+ int prilen=0; // Track Priority value string len |
| 58 |
+ int msglen; |
| 59 |
|
| 60 |
/* test for special codes */ |
| 61 |
+ msglen=strlen(msg); |
| 62 |
pri = DEFUPRI; |
| 63 |
p = msg; |
| 64 |
|
| 65 |
if (*p == '<') { |
| 66 |
pri = 0; |
| 67 |
- while (isdigit(*++p)) |
| 68 |
- { |
| 69 |
- pri = 10 * pri + (*p - '0'); |
| 70 |
+ while (--msglen > 0 && isdigit((unsigned char)*++p) && |
| 71 |
+ pri <= MAX_PRI) { |
| 72 |
+ pri = 10 * pri + (*p - '0'); |
| 73 |
+ prilen++; |
| 74 |
} |
| 75 |
- if (*p == '>') |
| 76 |
+ if (*p == '>' && prilen) |
| 77 |
++p; |
| 78 |
+ else { |
| 79 |
+ pri = DEFUPRI; |
| 80 |
+ p = msg; |
| 81 |
+ } |
| 82 |
} |
| 83 |
- if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) |
| 84 |
+ |
| 85 |
+ if ((pri &~ (LOG_FACMASK|LOG_PRIMASK)) || (pri > MAX_PRI)) { |
| 86 |
pri = DEFUPRI; |
| 87 |
+ p = msg; |
| 88 |
+ } |
| 89 |
|
| 90 |
memset (line, 0, sizeof(line)); |
| 91 |
q = line; |
