ISS X-Force Database: klogd-format-string(5259): klogd format string

klogd format string

klogd-format-string (5259)

High Risk

Description:

The kernel logging daemon (klogd) in many Linux distributions is vulnerable to a local root compromise. An attacker can craft a kernel message that contains '%' characters between pairs of '[<' and '>]' symbol markers to gain root access to the system. The daemon passes the message as a format string to syslog, due to a format string flaw in the LogLine function, lines 680 and 707 in klogd.c: Syslog( LOG_INFO, line_buff ).

Platforms Affected:

Debian, Debian Linux
MandrakeSoft, Mandrake Linux
RedHat, Linux
Slackware, Slackware Linux
Trustix, Secure Linux 1.1

Remedy:

For Red Hat Linux 5.2:
Upgrade to the latest version of sysklogd (1.3.31-1.6 or later), as listed in RHSA-2000:061-02. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of sysklogd (1.3.31-17 or later), as listed in RHSA-2000:061-02. See References.

For Linux-Mandrake 6.0 and 6.1:
Upgrade to the latest version of sysklogd (1.3.31-14mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2000:050 : sysklogd. See References.

For Linux-Mandrake 7.0 and 7.1:
Upgrade to the latest version of sysklogd (1.3.31-15mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2000:050 : sysklogd. See References.

For Debian Linux 2.1:
Upgrade to the latest version of sysklogd (1.3-31 or later), as listed in Debian Security Advisory 20000919. See References.

For Debian Linux 2.2:
Upgrade to the latest version of sysklogd (1.3-33-1 or later), as listed in Debian Security Advisory 20000919. See References.

For Caldera OpenLinux 2.3 and 2.4:
Upgrade to the latest version of sysklogd, as listed in Caldera Systems, Inc. Security Advisory CSSA-2000-032.0. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

BugTraq Mailing List, Sun Sep 17 2000 - 23:13:53 CDT, klogd format bug at http://archives.neohapsis.com/archives/bugtraq/2000-09/0193.html.
Caldera International, Inc. Security Advisory CSSA-2000-032.0, Security problems in syslogd/klogd at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2000-032.0.txt.
Debian Security Advisory 20000919, sysklogd at http://www.debian.org/security/2000/20000919.
MandrakeSoft Security Advisory MDKSA-2000:050, sysklogd at http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2000:050.
RHSA-2000:061-02, sysklogd at http://rhn.redhat.com/errata/RHSA-2000-061.html.
BID-1694: Multiple Linux Vendor klogd Vulnerability
CVE-2000-0867: Kernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages.
OSVDB ID: 5824: klogd Malformed Kernel Message Format String

Reported:

Sep 18, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page