lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1295950035.2935.8.camel@mochrul.balabit>
Date: Tue, 25 Jan 2011 11:07:15 +0100
From: SZALAY Attila <sasa@...abit.hu>
To: bugtraq@...urityfocus.com, oss-security@...ts.openwall.com
Subject: syslog-ng wrong file permission vulnerability

==========================================================================
syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE <= Information leak, access
                                           prevention and possible
                                           priviledge escalation

CVE-2011-0343
==========================================================================

1. OVERVIEW

Versions 3.0, 3.1 and 3.2 of syslog-ng Open Source Edition (OSE) and 
versions 3.0, 3.1 and 3.2 of syslog-ng Premium Edition (PE) create log
files 
with all permission bit set by default on FreeBSD and HP-UX
architectures. 
These permissions allow anybody with local access to read and write the
log 
files. The setuid and execution bits are also set, allowing the log
files to be 
executed.

2. BACKGROUND

The syslog-ng application is an enhanced version of the default Syslog
service 
found on FreeBSD and other UNIX and Unix-like operating systems. The
syslog-
ng application supports reliable and encrypted transport using TCP and
TLS, 
SQL support, and offers powerful message filtering, sorting,
pre-processing and 
log normalization capabilities. Utilizing message parsing and
classification, 
syslog-ng is able to correlate log messages both real-time and offline,
making 
it especially suited to implement the artificial ignorance principle. 

3. VULNERABILITY DESCRIPTION

This vulnerability affects only architectures where sizeof(mod_t) is not
equal to sizeof(int). Because of bad casts in the code and the internal 
representation of the ``use the default permission'' setting being -1,
this
number in the chmod call is interpreted as 07777. This means that the
permission 
of the file is readable, writable and executable to all, and the setuid,
setgid, 
and sticky bits are set. Everybody who can see the file can read it,
write it 
and even run it with root permission.

4. VERSIONS AFFECTED

The following table summarizes in which product versions is the
vulnerable code 
present and in which versions has it been corrected.

syslog-ng Open Source Edition (OSE):
Branch  Vulnerable from Fixed in
2.0.X   this branch is not vulnerable
3.0.X   3.0.7           3.0.10
3.1.X   3.1.3           3.1.4
3.2.X   3.2alpha1       3.2.2?

syslog-ng Premium Edition (PE):
Branch  Vulnerable from Fixed in
3.0.X   3.0.6           3.0.6a
3.1.X   this branch is not vulnerable
3.2.X   3.2.0           3.2.1a


5. PROOF-OF-CONCEPT/EXPLOIT

None. But it's easy to imagine.

6. IMPACT

This problem causes that every user can see, modify or destroy the log
messages directly and make it difficult to detect harmful operations.
With a 
small trick even (shell)code execution is possible with root
permissions, 
causing privilege escalation.

7. SOLUTION

Upgrade to a newer, unaffected version.
syslog-ng Open Source Edition (OSE):
3.0.X  3.0.10
3.1.X  3.1.4
3.2.X  3.2.2

syslog-ng Premium Edition (PE):
3.0.X  3.0.6a
3.2.X  3.2.1a

8. VENDOR

BalaBit IT Security Ltd.
http://www.balabit.com
Product page:
http://www.balabit.com/network-security/syslog-ng/

9. CREDIT

This vulnerability was discovered by Steven Chamberlain steven :at: pyro
dot eu dot org

10. DISCLOSURE TIME-LINE

2010-12-31: The problem reported to the debian bug tracking system
2010-12-31: notified vendor by the debian maintainer
2011-01-01: upstream proposed a fix
2011-01-02: freebsd port maintainer notified
2011-01-07: every linux port notified
2011-01-10: PE version 3.0.6a and 3.2.1a released
2011-01-14: OSE version 3.0.10 and 3.1.4 released
2011-01-16: OSE version 3.2.2 released

11. VENDOR RESPONSE

12. REFERENCES

Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491
Debian security track:
http://security-tracker.debian.org/tracker/CVE-2011-0343
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.0.git;a=commit;h=17531d911d544687fb9c5bd3b130dd5bf7903db0
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=cbcea8c95c3f07ed9eaa4d12f124db8f8ca2f74b
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=96af7607873e126ecee0eb51a5fff46a920c5630
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000103.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000104.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000105.html
freebsd port:
http://www.freshports.org/commit.php?category=sysutils&port=syslog-ng3&files=yes&message_id=201101041550.p04Fov6n028317@repoman.freebsd.org

-- 
SZALAY Attila
Support (L3) Team Leader

e-mail: attila.szalay@...abit.com

BalaBit IT Security
www.balabit.com
H-1115 Bártfai str. 54. Budapest

This Communication is Confidential. We only send and receive email on
the basis of the terms set out at http://www.balabit.com/disclaimer/.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ