Re: Possible syslogd DoS ?
From: Crist J. Clark (cristjc@earthlink.net)Date: 10/04/01
- Previous message: Jose Nazario: "Re: Tools to exercise SSL implementation"
- In reply to: Petr Baudis: "Possible syslogd DoS ?"
- Next in thread: VeNoMouS: "Re: Possible syslogd DoS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 3 Oct 2001 23:10:33 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: vuln-dev@securityfocus.com Subject: Re: Possible syslogd DoS ? Message-ID: <20011003231033.S8391@blossom.cjclark.org>
On Wed, Oct 03, 2001 at 08:09:58PM +0200, Petr Baudis wrote:
> Hello,
> I just recently came on a thought (thanks to Marek Jaros) of possible
> DoS of syslogd. It uses /dev/log for receiving log messages, which has
> mode 0666 on most linuxes. It should be ok, as many non-root applications
> should be allowed to log things etc.
[snip]
> Discussion? Something i didn't take into account? Possible solutions?
To paraphrase an old quote, syslog is basically an unauthenticated
disk filling utility.
#!/bin/sh
while :; do
logger "This is message one."
logger "This is message two."
done
On a system with untrusted users, you may need to do some special
configuration (change permissions on the log socket, make sure the
filling the partitions syslog writes to are not fatal, etc.).
This is a well known vulnerability of the syslog system, but is often
overlooked due to greater concerns over remote disk filling
possibilities.
-- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org
- Previous message: Jose Nazario: "Re: Tools to exercise SSL implementation"
- In reply to: Petr Baudis: "Possible syslogd DoS ?"
- Next in thread: VeNoMouS: "Re: Possible syslogd DoS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
