COMMAND
klogd
SYSTEMS AFFECTED
Linux
PROBLEM
Jouko Pynnönen found following. Kernel logging daemon klogd in
the sysklogd package for Linux contains a "format bug" making it
vulnerable to local root compromise (successfully tested on
Linux/x86). There's also a possibility for remote vulnerability
under certain (rather unprobable) circumstances and a more
probable semi-remote exploitableness with knfsd.
Normally klogd reads kernel messages from /proc/kmsg and after
some processing passes them to syslogd, which in turn writes the
messages to log file(s) as defined in syslog.conf. The erroneous
function calls are located in function LogLine(), klogd.c lines
680 and 707:
Syslog( LOG_INFO, line_buff );
Each newline-postfixed kernel message goes to Syslog() as a format
string. Before passing the string to Syslog(), the LogLine()
function does some simple processing. Kernel addresses of form
[<address>] are translated to symbol names and '%' chars are
checked and duplicated to avoid format problems. The logics
however fail to handle %-symbols inside a [<foo>] symbol marker,
so a malicious user can forge a kernel message like "[<%s %s %s
%s>]" which would be enough to kill klogd with a segmentation
fault. Possibilities of executing arbitrary code are discussed
below.
The vulnerability is exploitable for anyone who can feed strings
in the kernel log. There are many ways to do this locally; for
example a connect() call with an improperly initialized sockaddr
structure generates a warning to the kernel log containing the
program name. However the program name is taken from
task_struct->comm which is a 16-byte buffer. The required "[<"
takes 2 bytes so the space gets short for a conventional shellcode
and return address. The warning is printed only once so
exploiting with just this message is probably difficult, but other
warnings in the kernel make it possible.
Other possibilities include special kernel modules that call
printk() to log their things to kernel log, or various device
drivers. The driver for /dev/mixer for instance can be trivially
made log a string containing a 31-byte user defineable substring
if /dev/mixer is openable (as it is per default in many systems).
The exploitation process itself isn't so trivial. The buffer in
question is declared static so it's mapped to a low memory
address; there's nothing user-defineable or otherwise usable in
stack. Jouko hasn't been able to produce a program doing a
standard "%n" exploitation, but it is possible to create a buffer
overflow condition elsewhere in the program in conjunction with
the format bug. If the format string contains something like
"%2000d", a local buffer in vsyslog() overflows. This function
is called from Syslog() and does no bound checking but trusts
Syslog() checks. In addition, "%m" in the format string expands
to the error message (from strerror()) which can be used to "push"
the end of the string further in the memory, making it possible to
build a longer shellcode using multiple klogd messages if needed.
According to quick test with a knfsd-enabled system, the driver
can be tricked to printk() path names with some race conditioning,
which is probably one of the easiest exploit methods where
available.
SOLUTION
For Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/sysklogd.tgz
For Linux-Mandrake:
6.0/RPMS/sysklogd-1.3.31-14mdk.i586.rpm
6.0/SRPMS/sysklogd-1.3.31-14mdk.src.rpm
6.1/RPMS/sysklogd-1.3.31-16mdk.i586.rpm
6.1/SRPMS/sysklogd-1.3.31-16mdk.src.rpm
7.0/RPMS/sysklogd-1.3.31-17mdk.i586.rpm
7.0/SRPMS/sysklogd-1.3.31-17mdk.src.rpm
7.1/RPMS/sysklogd-1.3.31-18mdk.i586.rpm
7.1/SRPMS/sysklogd-1.3.31-18mdk.src.rpm
Just like other distributions, Trustix Secure Linux also suffers
from a security hole in sysklogd. Everybody running 1.0x or 1.1
should upgrade. The hole is already fixed in the new beta
(1.1.80). The new package can be found at:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/sysklogd-1.3.31-18tr.i586.rpm
RedHat has put out an update to the klogd package due to a
security bug found in klogd. There are built packages for this
update for Immunix OS 6.2 (StackGuarded versions of the RedHat
packages). They can be found at:
http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/sysklogd-1.3.31-17_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/sysklogd-1.3.31-17_StackGuard.src.rpm
For Red Hat:
ftp://updates.redhat.com/5.2/sparc/sysklogd-1.3.31-1.6.sparc.rpm
ftp://updates.redhat.com/5.2/alpha/sysklogd-1.3.31-1.6.alpha.rpm
ftp://updates.redhat.com/5.2/i386/sysklogd-1.3.31-1.6.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/sysklogd-1.3.31-1.6.src.rpm
ftp://updates.redhat.com/6.2/sparc/sysklogd-1.3.31-17.sparc.rpm
ftp://updates.redhat.com/6.2/i386/sysklogd-1.3.31-17.i386.rpm
ftp://updates.redhat.com/6.2/alpha/sysklogd-1.3.31-17.alpha.rpm
ftp://updates.redhat.com/6.2/SRPMS/sysklogd-1.3.31-17.src.rpm
ftp://updates.redhat.com/7.0/i386/sysklogd-1.3.33-8.i386.rpm
ftp://updates.redhat.com/7.0/SRPMS/sysklogd-1.3.33-8.src.rpm
For Debian:
http://security.debian.org/dists/slink/updates/source/sysklogd_1.3.orig.tar.gz
http://security.debian.org/dists/slink/updates/source/sysklogd_1.3-31.slink1.diff.gz
http://security.debian.org/dists/slink/updates/source/sysklogd_1.3-31.slink1.dsc
http://security.debian.org/dists/slink/updates/binary-i386/sysklogd_1.3-31.slink1_i386.deb
http://security.debian.org/dists/potato/updates/main/source/sysklogd_1.3-33.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/sysklogd_1.3-33.1.dsc
http://security.debian.org/dists/potato/updates/main/source/sysklogd_1.3.orig.tar.gz
http://security.debian.org/dists/potato/updates/main/binary-alpha/sysklogd_1.3-33.1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/sysklogd_1.3-33.1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/sysklogd_1.3-33.1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/sysklogd_1.3-33.1_sparc.deb
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/syslogd-1.3.33-161.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/syslogd-1.3.33-161.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/syslogd-1.3.33-161.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/syslogd-1.3.33-9.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/syslogd-1.3.33-9.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/syslogd-1.3.33-161.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/5.3/a1/syslogd-1.3.33-9.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/5.3/zq1/syslogd-1.3.33-9.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/syslogd-1.3.33-161.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/syslogd-1.3.33-162.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/syslogd-1.3.33-162.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/syslogd-1.3.33-161.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/syslogd-1.3.33-161.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/syslogd-1.3.33-161.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/syslogd-1.3.33-161.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/syslogd-1.3.33-161.src.rpm
For Caldera:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/sysklogd-1.4-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/SRPMS/sysklogd-1.4-2.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/sysklogd-1.4-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/sysklogd-1.4-2.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/sysklogd-1.4-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/SRPMS/sysklogd-1.4-2.src.rpm
For Turbo Linux:
ftp://ftp.turbolinux.com/pub/updates/6.0/sysklogd-1.3.31-6.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/sysklogd-1.3.31-6.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sysklogd-1.4-1cl.i386.rpm