syslog-ng wrong file permission vulnerability

2011-01-2600:00:00

vulners.com

==========================================================================
syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE <= Information leak, access
prevention and possible
priviledge escalation

CVE-2011-0343

OVERVIEW

Versions 3.0, 3.1 and 3.2 of syslog-ng Open Source Edition (OSE) and
versions 3.0, 3.1 and 3.2 of syslog-ng Premium Edition (PE) create log
files
with all permission bit set by default on FreeBSD and HP-UX
architectures.
These permissions allow anybody with local access to read and write the
log
files. The setuid and execution bits are also set, allowing the log
files to be
executed.

BACKGROUND

The syslog-ng application is an enhanced version of the default Syslog
service
found on FreeBSD and other UNIX and Unix-like operating systems. The
syslog-
ng application supports reliable and encrypted transport using TCP and
TLS,
SQL support, and offers powerful message filtering, sorting,
pre-processing and
log normalization capabilities. Utilizing message parsing and
classification,
syslog-ng is able to correlate log messages both real-time and offline,
making
it especially suited to implement the artificial ignorance principle.

VULNERABILITY DESCRIPTION

This vulnerability affects only architectures where sizeof(mod_t) is not
equal to sizeof(int). Because of bad casts in the code and the internal
representation of the ``use the default permission'' setting being -1,
this
number in the chmod call is interpreted as 07777. This means that the
permission
of the file is readable, writable and executable to all, and the setuid,
setgid,
and sticky bits are set. Everybody who can see the file can read it,
write it
and even run it with root permission.

VERSIONS AFFECTED

The following table summarizes in which product versions is the
vulnerable code
present and in which versions has it been corrected.

syslog-ng Open Source Edition (OSE):
Branch Vulnerable from Fixed in
2.0.X this branch is not vulnerable
3.0.X 3.0.7 3.0.10
3.1.X 3.1.3 3.1.4
3.2.X 3.2alpha1 3.2.2?

syslog-ng Premium Edition (PE):
Branch Vulnerable from Fixed in
3.0.X 3.0.6 3.0.6a
3.1.X this branch is not vulnerable
3.2.X 3.2.0 3.2.1a

PROOF-OF-CONCEPT/EXPLOIT

None. But it's easy to imagine.

IMPACT

This problem causes that every user can see, modify or destroy the log
messages directly and make it difficult to detect harmful operations.
With a
small trick even (shell)code execution is possible with root
permissions,
causing privilege escalation.

SOLUTION

Upgrade to a newer, unaffected version.
syslog-ng Open Source Edition (OSE):
3.0.X 3.0.10
3.1.X 3.1.4
3.2.X 3.2.2

syslog-ng Premium Edition (PE):
3.0.X 3.0.6a
3.2.X 3.2.1a

VENDOR

BalaBit IT Security Ltd.
http://www.balabit.com
Product page:
http://www.balabit.com/network-security/syslog-ng/

CREDIT

This vulnerability was discovered by Steven Chamberlain steven :at: pyro
dot eu dot org

DISCLOSURE TIME-LINE

2010-12-31: The problem reported to the debian bug tracking system
2010-12-31: notified vendor by the debian maintainer
2011-01-01: upstream proposed a fix
2011-01-02: freebsd port maintainer notified
2011-01-07: every linux port notified
2011-01-10: PE version 3.0.6a and 3.2.1a released
2011-01-14: OSE version 3.0.10 and 3.1.4 released
2011-01-16: OSE version 3.2.2 released