[UNIX] Multiple Vulnerabilities in LogSurfer

From: support@securiteam.com
Date: 10/05/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  5 Oct 2002 23:14:18 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in LogSurfer
------------------------------------------------------------------------

SUMMARY

The program <http://www.cert.dfn.de/eng/logsurf/home.html> "logsurfer"
was designed to monitor any text-based logfiles on your system in
real-time. Two security vulnerabilities have been found in the product, an
off-by-one buffer overflow, and bad initialization of parameters (that
allows injecting of arbitrary configuration files).

DETAILS

Vulnerable systems:
 * All logsurfer versions including 1.5a and earlier.

Two vulnerabilities exist in logsurfer version 1.5a and earlier:

a) A off-by-one buffer overflow in the heap segment can occur in function
context_action() in context.c. Dependent on the configuration and the
memory management of the language runtime system this bug can lead to a
crash of logsurfer. In detail, only configurations are affected which use
the "pipe" action. Although it cannot be ruled out that this vulnerability
can be used to execute arbitrary code, DFN-CERT is not aware of any
exploits to this.

b) A buffer used for the temporary storage of configuration lines is not
properly initialized in function readcfg(). Dependent on the content of
this buffer the function readline() incorrectly assumes that this is old
data. This data is then used as a configuration line.

Solution:
We recommend to upgrade to logsurfer version 1.5b which is available from
the URL:
 <ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/>
ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/

In addition, a Patch is available from the URL stated above.

It is strongly recommended to prove the authenticity of the logsurfer
distribution using pgp and/or md5 checksum:

  a) pgp logsurfer-1.5b.tar.asc

  pgp key "Jan Kohlrausch, DFN-CERT <kohlrausch@cert.dfn.de>" is required:
 
     KeyID 0xA5DD03D1,
     Key fingerprint = A2 55 1C 51 0A 30 3E 78 5B 40 DA B7 14 F7 C9 E8

  b) Md5 checksum:
  
MD5 (logsurfer-1.5b.tar) = ade77bed7bc3c73fd26039e69c4937f4

ADDITIONAL INFORMATION

The information has been provided by Jonathan Heusser, Yonekawa Susumu,
Gary L. Hennigan, Miron Cuperman and <mailto:kohlrausch@cert.dfn.de> Jan
Kohlrausch.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.