[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: syslogd security ?
From: |
Marcus Brinkmann |
Subject: |
Re: syslogd security ? |
Date: |
Fri, 24 Nov 2000 12:12:27 +0100 |
User-agent: |
Mutt/1.1.4i |
On Thu, Nov 23, 2000 at 11:58:36PM -0500, Alain Magloire wrote:
> Good news, cast is off ... ye !!! A few physio workout and I'm
> back rocking.
Great!
> Bad news, my machine's been crack.
Barf!
> I left my machine
> running as a way to test the inetutils tools, ftp rlogin etc ...
> except that I forgot to update inetd and syslogd. So
> both(ined and syslogd) were the default stock from Red Hat 6.1 (or
> was it 5.2 ???)
> Now I can not confirm is this was a syslogd buffer overflow
> thing or another inetd services ...
>
> Speculation ?
>
> In any case excerpt from a syslogd messages:
>
> ---------------syslogd /var/log/messages ---------------------------
> Nov 20 15:08:12 reliant
> Nov 20 15:08:12 reliant syslogd: Cannot glue message parts together
> Nov 20 15:08:12 reliant 173>Nov 20 15:08:12 rpc.statd[504]: gethostbyname
> error
That's an old exploit of rpc.statd in the nfs package. Debian has an
announcement from Jul 2000 here:
http://www.debian.org/security/2000/20000719a
This has nothing to do with syslogd in particular. It's just that the full
blurb of non-printable is too long to fit in the message buffer, and thus
truncated. Note that our version of syslogd doesn't support multiple message
parts, and will truncate even earlier.
I wouldn't hold my hand in fire for my analysis, but I think it is correct.
Thanks,
Marus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org address@hidden
Marcus Brinkmann GNU http://www.gnu.org address@hidden
address@hidden
http://www.marcus-brinkmann.de
- syslogd security ?, Alain Magloire, 2000/11/23
- Re: syslogd security ?,
Marcus Brinkmann <=