CAPEC-67 - String Format Overflow in syslog()

This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 1
  • Reluctance to Trust
  • Scopes 4
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • DoS: crash / exit / restart
  • Availability
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Modify memory
  • Integrity

The format string argument of the Syslog function can be tainted with user supplied data.

If the source code of the application is available, an attacker can use static analysis tools to spot a syslog vulnerability (a simple grep may also work).

If the source code is not available, automated tools such as Fuzzer and advanced Web Scanner can be used. If the tool supplied data reaches the syslog's format string argument, the application under scrutiny may have unexpected behavior.

If the source code is not available, a more complex technique involve the use of library and system call tracer combined with the use of binary auditing tool such as IDA Pro. Reverse Engineering technique can be used to find format string vulnerability in the syslog function call. For instance it is possible to get the address of the buffer that is later used as the format string when reading data

Verify that input is of a limited size.

If the message is coming from an outside source, check for %s type parameters and ensure that bounds will not be overwritten.

Don't use text from an outside source as a format string.

Step 1 -

The attacker finds that he can inject data to the format string parameter of Syslog()..


Step 1 -

The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can execute arbitrary code and do more damage..


Choose a language which is not subject to this flaw.

Do not use the Syslog() in your implementation.

Use manual or automated code review to spot potential format string vulnerability in functions such as Syslog(), Vsyslog(), snprintf(), etc.

The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():
The following code shows a vulnerable usage of Syslog():