Syslog buffer overflow allows remote execution through network daemons

Syslog buffer overflow allows remote execution through network daemons

Risk Level:	High	Check or Attack Name: smtpsyslog
Platforms:	Sendmail, Ultrix, AIX: 3.2, AIX: 4.1, HPUX: 10.00, HPUX: 10.09, HPUX: 8.x, HPUX: 9.x, IRIX: 3.x, IRIX: 4.x, IRIX: 5.x, IRIX: 6.0.1, IRIX: 6.1, SCO OpenServer, Solaris: 2.3, Solaris: 2.4, SunOS: 4.1.3, HPUX: 10.01, IRIX: 6.0, Solaris: 2.4 x86, OSF: 1.0, SunOS: 4.1.4, SunOS: 4.1.3_U1
Description:	In many older Unix systems, a buffer overflow exists in the syslog shared libraries. A process or attacker that logs user-supplied strings to the system log files could execute arbitrary programs on the target machine as root. The syslog libraries use an internal buffer to build messages that are sent to the syslogd daemon. The subroutines within these libraries do not perform range checking on data stored in this buffer. It is possible to overflow the internal buffer, rewrite the subroutine call stack, and thus execute arbitrary programs. The sendmail program uses the syslog library subroutines. It is therefore possible to exploit this bug from a remote machine and gain root access on a machine running sendmail. This bug affects any sendmail versions prior to v8.8.5.
Remedy:	Contact your vendor for patches for the Syslog buffer overflow bug, or upgrade to the latest version of sendmail. Sendmail is available at http://www.sendmail.org. For specific patch IDs, see the CERT Advisory listed in the References. See the following sites: Newer versions of sendmail are available at http://www.sendmail.org or from ftp://ftp.cs.berkeley.edu/ucb/sendmail. BSDI Patches are available from ftp://ftp.bsdi.com/bsdi/patches. Ultrix and DEC OSF/1 Patches are available at http://www.service.digital.com/html/patch_service.html. HP/UX Patches are available at http://us-support.external.hp.com/. Note: Requires no-cost password to access Patch Database. SCO Patches are available from ftp://ftp.sco.com/Supplements/net100. IRIX Patches are available from ftp://sgigate.sgi.com/Security. Sun patches are available at http://sunsolve.sun.com/sunsolve/pubpatches/patches.html.
References:	CERT Advisory CA-95.13, Syslog Vulnerability - A Workaround for Sendmail, http://www.cert.org/advisories/CA-95.13.syslog.vul.html 8lgm, [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995, http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-22.html Hewlett-Packard Security Bulletin HPSBUX9602-029, Security Vulnerability in HP-UX syslog(3) subroutine, http://us-support.external.hp.com/ Silicon Graphics Inc. Security Advisory 19951001-01-P825, sendmail issues with syslog vulnerability, ftp://sgigate.sgi.com/security/19951001-01-P825

Know Your Risks