Re: Linux vsyslog() overflow

Dann Lunsford (dann@GREYCAT.COM)
Mon, 22 Dec 1997 08:59:42 -0800

In <>, on 12/21/97
at 12:43 AM, Solar Designer <solar@FALSE.COM> said:
>The buffer overflow is in vsyslog(), by the ident string previously set
>with openlog(). It is exploitable via some versions of /bin/su (for
>example, the version that comes with Slackware 3.1), and possibly some

As far as I can tell, su has been fixed in Slackware 3.4.

>other privileged processes that use user-supplied data in ident for
>openlog() -- could even be a daemon setting the ident to something like
>"daemon: username" (I don't know of any such examples though).

>I have verified this is exploitable in libc 5.4.23 and RedHat's 5.3.12-18
>that comes with RH 4.2, but is fixed in 5.4.38. It can't be exploited via
>/bin/su on standard RedHat setup though.

>Actually, the behavior of Slackware's /bin/su is quite stupid anyway:

>sunny:/tmp$ ln -s /bin/su kernel
>sunny:/tmp$ export PATH=.:$PATH
>sunny:/tmp$ kernel
>sunny:/tmp# tail -1 /var/log/messages
>Dec 20 23:32:33 sunny kernel: root on /dev/ttyp1

Again, can't duplicate this under Slackware 3.4.

>No real security hole here, but this shows it was a stupid thing to use
>argv[0] for openlog().

Gotta agree here.

>Since you should fix the vulnerability regardless if it's exploitable via
>your version of /bin/su or not, here's a tiny program for checking if
>your libc is vulnerable. If this segfaults, you're vulnerable.

>--- syslog-check.c ---

Under Slackware 3.4, libc 5.4.33, this code causes
to be logged to syslog.

Dann Lunsford      * The only thing necessary for the triumph of evil *   * is that men of good will do nothing.  --  Cicero *
Hiroshima 45 -- Chernobyl 86 -- Windows 95