Multiple Linux Vendor klogd Vulnerability

Multiple Linux Vendor klogd Vulnerability

The 'klogd' program is a Linux system daemon that receives messages from the kernel and sends them to 'syslogd' to be recorded in a log file. A format-string vulnerability in 'klogd' allows attackers to gain root access locally and in certain exceptional cases remotely. The problem occurs as a result of passing a buffer containing user input directly to the 'syslog()' function. This occurs on lines 680 and 707 of the file 'klogd.c' in the 'LogLine()' function:

Syslog( LOG_INFO, line_buff );

The notation '[<address>]' is used in kernel message strings to supply kernel addresses that are translated into symbol names by 'klogd'. Although the 'LogLine() 'function escapes instances of the '%' character to avoid format-string problems, this processing does not occur between pairs of '[<' and '>]' delimiters. So, for example, if an attacker can cause the kernel to generate a message containing '[<%s %s %s %s>]', then klogd will crash with a segmentation fault. Exploiting this vulnerability depends on the attacker being able to use a device, module, or system call to generate kernel messages containing arbitrary attacker-specified strings.