Multiple Linux Vendor klogd Vulnerability
BID:1694
Info
Multiple Linux Vendor klogd Vulnerability
| Bugtraq ID: | 1694 |
| Class: | Input Validation Error |
| CVE: |
CVE-2000-0867 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 13 2000 12:00AM |
| Updated: | Jul 12 2007 11:27PM |
| Credit: | This vulnerability was first reported to Bugtraq in a message posted on September 18, 2000 by Jouko Pynnönen <[email protected]>. |
| Vulnerable: |
Wirex Immunix OS 6.2 Turbolinux Turbolinux 6.0.4 Turbolinux Turbolinux 6.0.3 Turbolinux Turbolinux 6.0.2 Turbolinux Turbolinux 6.0.1 Turbolinux Turbolinux 6.0 Turbolinux Turbolinux 4.4 Trustix Trustix Secure Linux 1.1 Trustix Trustix Secure Linux 1.0 SuSE Linux 7.0 sparc SuSE Linux 7.0 SuSE Linux 6.4 ppc SuSE Linux 6.4 alpha SuSE Linux 6.4 SuSE Linux 6.3 ppc SuSE Linux 6.3 alpha SuSE Linux 6.3 SuSE Linux 6.2 Slackware Linux 7.1 Slackware Linux 7.0 Slackware Linux 4.0 Redhat Linux 6.2 E sparc Redhat Linux 6.2 E i386 Redhat Linux 6.2 E alpha Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha Redhat Linux 6.1 sparc Redhat Linux 6.1 i386 Redhat Linux 6.1 alpha Redhat Linux 6.0 sparc Redhat Linux 6.0 alpha Redhat Linux 6.0 Redhat Linux 5.2 sparc Redhat Linux 5.2 i386 Redhat Linux 5.2 alpha Mandriva Linux Mandrake 7.1 Mandriva Linux Mandrake 7.0 Mandriva Linux Mandrake 6.1 Mandriva Linux Mandrake 6.0 Debian Linux 2.3 sparc Debian Linux 2.3 powerpc Debian Linux 2.3 alpha Debian Linux 2.3 Debian Linux 2.2 pre potato Debian Linux 2.2 sparc Debian Linux 2.2 powerpc Debian Linux 2.2 arm Debian Linux 2.2 alpha Debian Linux 2.2 Corel Linux OS 1.0 |
| Not Vulnerable: | |
Discussion
Multiple Linux Vendor klogd Vulnerability
The 'klogd' program is a Linux system daemon that receives messages from the kernel and sends them to 'syslogd' to be recorded in a log file. A format-string vulnerability in 'klogd' allows attackers to gain root access locally and in certain exceptional cases remotely. The problem occurs as a result of passing a buffer containing user input directly to the 'syslog()' function. This occurs on lines 680 and 707 of the file 'klogd.c' in the 'LogLine()' function:
Syslog( LOG_INFO, line_buff );
The notation '[<address>]' is used in kernel message strings to supply kernel addresses that are translated into symbol names by 'klogd'. Although the 'LogLine() 'function escapes instances of the '%' character to avoid format-string problems, this processing does not occur between pairs of '[<' and '>]' delimiters. So, for example, if an attacker can cause the kernel to generate a message containing '[<%s %s %s %s>]', then klogd will crash with a segmentation fault. Exploiting this vulnerability depends on the attacker being able to use a device, module, or system call to generate kernel messages containing arbitrary attacker-specified strings.
The 'klogd' program is a Linux system daemon that receives messages from the kernel and sends them to 'syslogd' to be recorded in a log file. A format-string vulnerability in 'klogd' allows attackers to gain root access locally and in certain exceptional cases remotely. The problem occurs as a result of passing a buffer containing user input directly to the 'syslog()' function. This occurs on lines 680 and 707 of the file 'klogd.c' in the 'LogLine()' function:
Syslog( LOG_INFO, line_buff );
The notation '[<address>]' is used in kernel message strings to supply kernel addresses that are translated into symbol names by 'klogd'. Although the 'LogLine() 'function escapes instances of the '%' character to avoid format-string problems, this processing does not occur between pairs of '[<' and '>]' delimiters. So, for example, if an attacker can cause the kernel to generate a message containing '[<%s %s %s %s>]', then klogd will crash with a segmentation fault. Exploiting this vulnerability depends on the attacker being able to use a device, module, or system call to generate kernel messages containing arbitrary attacker-specified strings.
Exploit / POC
Multiple Linux Vendor klogd Vulnerability
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution / Fix
Multiple Linux Vendor klogd Vulnerability
Solution:
Several vendors have provided package upgrades for this issue. Please see the references for details.
Solution:
Several vendors have provided package upgrades for this issue. Please see the references for details.