Firewalls: Re: syslogd risk

Firewalls
(October 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: syslogd risk
From:	Christopher Klaus <cklaus @ shadow . net>
Date:	Fri, 7 Oct 94 15:14:35 EDT
To:	Ross_Patterson @ Sterling . Com (Ross Patterson)
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<199410071331 . JAA17648 @ mail . Reston . VMD . Sterling . COM>; from "Ross Patterson" at Oct 7, 94 9:50 am

> 
> Christian Wettergren <cwe @
 it .
 kth .
 se> writes:
> 
> >I've also seen that there are a fixed-size buffer in the routine
> >logerror(), which can be overrun. The contents can be controlled
> >from outside in at least one instance.
> 
> ...
> 
> >                                                      I'm _not_
> >saying this are holes, just that it looks suspicious. (I wouldn't
> >be able to exploit them myself, I guess!)
> 
> Perhaps not, but if memory serves, Robert Morris Jr. used the same
> basic flaw in the Unix finger daemon as compiled for some variety of
> Sun to introduce his own machine code into the running process.
> 

The flaw I believe was using gets() routine which doesnt check to see if it
has overwritten any buffers.  Therefore RTM was able to over write the stack
and execute his own commands.

-- 
Christopher William Klaus  <cklaus @
 shadow .
 net>  <iss @
 shadow .
 net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030

References:

Re: syslogd risk
From: "Ross Patterson" <Ross_Patterson @ Sterling . Com>

Indexed By Date	Previous:	earlier posting of users' passwords and credit card numbers From: Dror Matalon <dror @ hopf . dnai . com>
Indexed By Date	Next:	Re: Syslog From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Indexed By Thread	Previous:	Re: syslogd risk From: "Ross Patterson" <Ross_Patterson @ Sterling . Com>
Indexed By Thread	Next:	Re: syslogd risk From: dhb @ ssd . ray . com (David H. Brierley)