Trent W. Buck
2008-Jun-27 05:37 UTC
[Logcheck-devel] Bug#488212: Potential denial-of-service (DOS) attack by anyone with syslog access (e.g. logger(1))
Package: logcheck
Severity: normal
I was rolling out a server in a high-security environment, using
logcheck (monitoring auth.log) as part of the infrastructure for
alerting staff about malicious activity.
I was injecting syslog entries with logger(1), to test my custom
logcheck ignore rules, and it occurred to me that a user could do
this (where "ERROR" matches a pattern in violation.d):
yes ERROR | logger
which causes logger to spam syslog with messages. Testing shows that
this adds entries faster than logcheck can scan them, preventing the
logcheck job from ever completing.
An attacker could use this technique to indefinitely delay
notification of their attack (say, a dictionary attack on a
password-protected service). Admittedly, subsequent jobs will create
error mail along the lines of "couldn't get lock", but this sounds
like a low-priority error.
Currently I'm just advising staff to treat logcheck lockfile mails as
high priority, but I figured I should mention it in case there's some
technique that logcheck could (or does, but I don't know about)
support to mitigate this.
PS: by default syslog and syslog-ng accept log entries from local
users, but they can be configured to accept entries from remote hosts
(making this potentially a remote attack).
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
martin f krafft
2008-Jun-27 06:55 UTC
[Logcheck-devel] Bug#488212: Bug#488212: Potential denial-of-service (DOS) attack by anyone with syslog access (e.g. logger(1))
tags 488212 wontfix confirmed thanks Sure thing, but I don't see how logcheck could guard against this. If you are letting people write to your log, you're asking for it. They might also just drown legitimate entries with junk (cat /dev/urandom...). So you should lock down the logger. I also advise people never to rely on logcheck. It's convenient, but it's not reliable *at all*. -- .''`. martin f. krafft <madduck at debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/) Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080627/97199b0b/attachment.pgp
Debian Bug Tracking System
2008-Jun-27 06:57 UTC
[Logcheck-devel] Processed: Re: Bug#488212: Potential denial-of-service (DOS) attack by anyone with syslog access (e.g. logger(1))
Processing commands for control at bugs.debian.org:> tags 488212 wontfix confirmedBug#488212: Potential denial-of-service (DOS) attack by anyone with syslog access (e.g. logger(1)) There were no tags set. Tags added: wontfix, confirmed> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)