J-Security Center

Title: Multiple Linux Vendor klogd Vulnerability

Severity: HIGH

Description:

The 'klogd' program is a Linux system daemon that receives messages from the kernel and sends them to 'syslogd' to be recorded in a log file. A format-string vulnerability in 'klogd' allows attackers to gain root access locally and in certain exceptional cases remotely. The problem occurs as a result of passing a buffer containing user input directly to the 'syslog()' function. This occurs on lines 680 and 707 of the file 'klogd.c' in the 'LogLine()' function:

Syslog( LOG_INFO, line_buff );

The notation '[<address>]' is used in kernel message strings to supply kernel addresses that are translated into symbol names by 'klogd'. Although the 'LogLine() 'function escapes instances of the '%' character to avoid format-string problems, this processing does not occur between pairs of '[<' and '>]' delimiters. So, for example, if an attacker can cause the kernel to generate a message containing '[<%s %s %s %s>]', then klogd will crash with a segmentation fault. Exploiting this vulnerability depends on the attacker being able to use a device, module, or system call to generate kernel messages containing arbitrary attacker-specified strings.

Affected Products:

  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Corel Linux OS 1.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 2.2.0pre potato
  • Debian Linux 2.3.0
  • Debian Linux 2.3.0 alpha
  • Debian Linux 2.3.0 powerpc
  • Debian Linux 2.3.0 sparc
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • RedHat Linux 5.2.0 alpha
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 5.2.0 sparc
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0 E alpha
  • RedHat Linux 6.2.0 E i386
  • RedHat Linux 6.2.0 E sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • S.u.S.E. Linux 6.2.0
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.3.0 alpha
  • S.u.S.E. Linux 6.3.0 ppc
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.0.0 sparc
  • Slackware Linux 4.0.0
  • Slackware Linux 7.0.0
  • Slackware Linux 7.1.0
  • Trustix Trustix Secure Linux 1.0.0
  • Trustix Trustix Secure Linux 1.1.0
  • Turbolinux Turbolinux 4.4.0
  • Turbolinux Turbolinux 6.0.0
  • Turbolinux Turbolinux 6.0.1
  • Turbolinux Turbolinux 6.0.2
  • Turbolinux Turbolinux 6.0.3
  • Turbolinux Turbolinux 6.0.4
  • WireX Immunix OS 6.2.0

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.