Re: syslogd security ?

[Marcus Brinkmann]

On Thu, Nov 23, 2000 at 11:58:36PM -0500, Alain Magloire wrote:
> Good news, cast is off ... ye !!! A few physio workout and I'm
> back rocking.

Great!
 
> Bad news, my machine's been crack.

Barf!

> I left my machine
> running as a way to test the inetutils tools, ftp rlogin etc ...
> except that I forgot to update inetd and syslogd.  So
> both(ined and syslogd) were the default stock from Red Hat 6.1 (or
> was it 5.2 ???)
> Now I can not confirm is this was a syslogd buffer overflow
> thing or another inetd services ...
> 
> Speculation ?
> 
> In any case excerpt from a syslogd messages:
> 
> ---------------syslogd /var/log/messages ---------------------------
> Nov 20 15:08:12 reliant
> Nov 20 15:08:12 reliant syslogd: Cannot glue message parts together
> Nov 20 15:08:12 reliant 173>Nov 20 15:08:12 rpc.statd[504]: gethostbyname 
> error

That's an old exploit of rpc.statd in the nfs package. Debian has an
announcement from Jul 2000 here:
http://www.debian.org/security/2000/20000719a

This has nothing to do with syslogd in particular. It's just that the full
blurb of non-printable is too long to fit in the message buffer, and thus
truncated. Note that our version of syslogd doesn't support multiple message
parts, and will truncate even earlier.

I wouldn't hold my hand in fire for my analysis, but I think it is correct.

Thanks,
Marus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org address@hidden
Marcus Brinkmann              GNU    http://www.gnu.org    address@hidden
address@hidden
http://www.marcus-brinkmann.de