rsyslogd terminal escape sequences injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rsyslog (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Hi,
It seems to me that it is possible to inject terminal escape sequences into log files via
syslog(3)
# tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10]
(Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE
method [_L10] (20141107/
$ logger `printf 'HELLO\
# tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10]
(Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_
method [_L10] (20141107/
Aug 23 13:50:39 ghetto saken: HELLO
On the (*) line, the escape sequence changed its contents, meaning that an unprivileged
user can take advantage of this to hide their presence on the system by changing
legitimate logs, modify a window's title, change background and foreground color, etc.
While researching this, I found that rsyslogd has "$EscapeControl
which claims that is on by default and that "The intent is to provide a way to stop
non-printable messages from entering the syslog system as whole."
On my system, this does not seem to be true, and actually went ahead and added
"$EscapeControl
and the problem still persists.
I am using rsyslogd 7.4.8
Thanks,
Federico Bento.
information type: | Private Security → Public Security |
affects: | policykit-1 (Ubuntu) → rsyslog (Ubuntu) |
This is a problem with using cat(1) or tail(1) to inspect potentially malicious files; less(1) does not interpret the control chars by default, so it's safer to use. Something like:
less +F /path/to/file
will behave similar to:
tail -f /path/to/file
For more information, see:
http:// www.openwall. com/lists/ oss-security/ 2015/08/ 11/8
Thanks