syslog-ng wrong file permission vulnerability Jan 25 2011 10:07AM
SZALAY Attila (sasa balabit hu)
========================================================================
==
syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE <= Information leak, access
prevention and possible
priviledge escalation

CVE-2011-0343
========================================================================
==

1. OVERVIEW

Versions 3.0, 3.1 and 3.2 of syslog-ng Open Source Edition (OSE) and
versions 3.0, 3.1 and 3.2 of syslog-ng Premium Edition (PE) create log
files
with all permission bit set by default on FreeBSD and HP-UX
architectures.
These permissions allow anybody with local access to read and write the
log
files. The setuid and execution bits are also set, allowing the log
files to be
executed.

2. BACKGROUND

The syslog-ng application is an enhanced version of the default Syslog
service
found on FreeBSD and other UNIX and Unix-like operating systems. The
syslog-
ng application supports reliable and encrypted transport using TCP and
TLS,
SQL support, and offers powerful message filtering, sorting,
pre-processing and
log normalization capabilities. Utilizing message parsing and
classification,
syslog-ng is able to correlate log messages both real-time and offline,
making
it especially suited to implement the artificial ignorance principle.

3. VULNERABILITY DESCRIPTION

This vulnerability affects only architectures where sizeof(mod_t) is not
equal to sizeof(int). Because of bad casts in the code and the internal
representation of the ``use the default permission'' setting being -1,
this
number in the chmod call is interpreted as 07777. This means that the
permission
of the file is readable, writable and executable to all, and the setuid,
setgid,
and sticky bits are set. Everybody who can see the file can read it,
write it
and even run it with root permission.

4. VERSIONS AFFECTED

The following table summarizes in which product versions is the
vulnerable code
present and in which versions has it been corrected.

syslog-ng Open Source Edition (OSE):
Branch Vulnerable from Fixed in
2.0.X this branch is not vulnerable
3.0.X 3.0.7 3.0.10
3.1.X 3.1.3 3.1.4
3.2.X 3.2alpha1 3.2.2?

syslog-ng Premium Edition (PE):
Branch Vulnerable from Fixed in
3.0.X 3.0.6 3.0.6a
3.1.X this branch is not vulnerable
3.2.X 3.2.0 3.2.1a

5. PROOF-OF-CONCEPT/EXPLOIT

None. But it's easy to imagine.

6. IMPACT

This problem causes that every user can see, modify or destroy the log
messages directly and make it difficult to detect harmful operations.
With a
small trick even (shell)code execution is possible with root
permissions,
causing privilege escalation.

7. SOLUTION

Upgrade to a newer, unaffected version.
syslog-ng Open Source Edition (OSE):
3.0.X 3.0.10
3.1.X 3.1.4
3.2.X 3.2.2

syslog-ng Premium Edition (PE):
3.0.X 3.0.6a
3.2.X 3.2.1a

8. VENDOR

BalaBit IT Security Ltd.
http://www.balabit.com
Product page:
http://www.balabit.com/network-security/syslog-ng/

9. CREDIT

This vulnerability was discovered by Steven Chamberlain steven :at: pyro
dot eu dot org

10. DISCLOSURE TIME-LINE

2010-12-31: The problem reported to the debian bug tracking system
2010-12-31: notified vendor by the debian maintainer
2011-01-01: upstream proposed a fix
2011-01-02: freebsd port maintainer notified
2011-01-07: every linux port notified
2011-01-10: PE version 3.0.6a and 3.2.1a released
2011-01-14: OSE version 3.0.10 and 3.1.4 released
2011-01-16: OSE version 3.2.2 released

11. VENDOR RESPONSE

12. REFERENCES

Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491
Debian security track:
http://security-tracker.debian.org/tracker/CVE-2011-0343
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.0.git;a=commit;h=17531d911d54
4687fb9c5bd3b130dd5bf7903db0
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=cbcea8c95c3f
07ed9eaa4d12f124db8f8ca2f74b
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=96af7607873e
126ecee0eb51a5fff46a920c5630
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/0001
01.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/0001
02.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/0001
03.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/0001
04.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/0001
05.html
freebsd port:
http://www.freshports.org/commit.php?category=sysutils&port=syslog-ng3&f
iles=yes&message_id=201101041550.p04Fov6n028317 (at) repoman.freebsd (dot) org [email concealed]

--
SZALAY Attila
Support (L3) Team Leader

e-mail: attila.szalay (at) balabit (dot) com [email concealed]

BalaBit IT Security
www.balabit.com
H-1115 Bártfai str. 54. Budapest

This Communication is Confidential. We only send and receive email on
the basis of the terms set out at http://www.balabit.com/disclaimer/.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus