Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_4

Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: Remotely kill Solaris syslogd

Re: Remotely kill Solaris syslogd

Andrew Reynhout (reynhoutQUESERA.COM)
Tue, 21 Oct 1997 12:17:38 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: lb: "Responses to syslogd killing"
Previous message: Chris Wilson: "Re: remotely kill solaris syslogd"
In reply to: lb - STAFF: "Remotely kill Solaris syslogd"

We've run into the same issue, and Sun has known about it since April.
There is a patch, 103738-04, which fixes this (and other) problems.
It is **NOT** a recommended or a security patch, nor is it available
from the public area of sunsolve.  It clearly should be.

There are many installations where syslogd is a critical part of the
security/monitoring infrastructure.  There are even some where REMOTE
syslogging is critical.  It is a terrible choice, but many times the
only one available.  I'd recommend using Paul Vixie's syslogd, or at
least filtering 514/udp.  It won't solve syslogd's spoofing problems,
but at least messages won't disappear.

(From the README.103738-04:)
>Patch-ID# 103738-04
>Keywords: syslogd core lookup EUC ja 8-bit limit
>Synopsis: SunOS 5.5.1: /usr/sbin/syslogd patch
>Date: Oct/03/97
>Xref: This patch available for x86 as patch 103739
>...
>Problem Description:
>...
>(from 103738-01)
>1249320 *syslogd* syslog is dying randomly in Solaris 2.5, leaves core files.

Andrew

lb - STAFF writes:
>   It seems that I've stumbled upon a bug which must have been discovered
> but never disclosed, I find it hard to believe noone has found this.  After
> searching the bugtraq archives and the publicly available patches from
> Sun I am still under the impression that this hasn't been released until
> now.
>
>   When Solaris syslogd receives an external message it attempts to do
> a DNS lookup on the source IP.  Many times, if this IP doesn't match a
> DNS record then syslogd will crash with a Seg Fault.  I have not had
> time to diagnose completely how dangerous this is, as I didn't feel like
> spending time debugging DNS packets, but at the very least it will disable
> logging on the target machine.  It also turns out that depending on the
> source IP, syslogd will either Seg Fault or Bus Error which leads me
> to believe this could be most harmful.
>
>   This has been tested on Solaris 2.5 and 2.5.1 for both Sparc and x86 with
> full patches.  Solaris 2.6 Sparc does not appear to be vulnerable.
>
>   The only solution at the moment (because I know of no way to disable
> remote logging under Solaris) is to filter off udp port 514 whenever
> possible and perhaps to respawn syslogd from inittab.
>
>   If this is an old bug, well the patch shoulda been included in Sun's
> recommended security patches.  If not, as it says, your milage may vary.
>
>   (Is there anyone left who isn't a security consultant?)

Next message: lb: "Responses to syslogd killing"
Previous message: Chris Wilson: "Re: remotely kill solaris syslogd"
In reply to: lb - STAFF: "Remotely kill Solaris syslogd"