Hi, On Wed, Nov 12, 2014 at 4:38 PM, Garrett D'Amore <[email protected]> wrote: > You’ll note that the second line lacks tags which help identify a new log > record. OWASP makes some good observations, and a casual observer might make > incorrect assumptions.
A knowledgeable attacker can fake those. The points at OWASP are still valid. Note that system administrators often leak this information when they post logs online, or in mailing lists. > Admittedly, I don’t view syslog as a particularly secure thing (it isn’t!), > and relying on it for very much is rather risk IMO. You can make it more > reliable by using a dedicated log host that doesn’t do anything else, and > that is very tightly locked down, but even that can be subject to log > injection attacks. Since I was explicitly testing rsyslog for injection vectors, I tried ours too. My point is that applications that need to be secure against log injections have to sanitize the log output before passing it on to the the illumos syslog; unlike with rsyslog (maybe). That's all. > I think rsyslog, syslog-ng, and so forth have encryption capabilities which > may make it harder to perform log injection attacks against a the log host, > unless the attacker is able to cause a trusted machine to generate log > entries — but that’s often not very hard. Encryption is irrelevant to the kind of injections talked about at OWASP. Anyway, as final words and just to repeat myself, people who need secure logging need to implement that security in the application and cannot rely on the illumos syslog to help at all. My notice was never about changing syslog. >> On Nov 12, 2014, at 5:57 AM, Johann 'Myrkraverk' Oskarsson via >> illumos-discuss <[email protected]> wrote: >> >> Hi all, >> >> First, about log injection: >> >> https://www.owasp.org/index.php/Log_injection >> >> I do not know about a better reference for it. >> >> My current system is OI 151a8. >> >> When I do >> >> syslog( LOG_DEBUG, "Hello\nworld" ); >> >> in perl (and I assume C is the same), I get >> >> Nov 12 13:31:56 asuka logtest[14973]: [ID 702911 user.debug] Hello >> Nov 12 13:31:56 asuka world >> >> in my log file. Which is exactly the kind of vulnerability OWASP is >> talking about. >> >> I have not tried other control characters, yet. >> >> For the record, Ubuntu's rsyslog encodes control characters with # >> escaped octal numbers, like #007. >> >> I have personally no opinion if this behaviour should change, it's a >> simple heads up about a documented vulnerability at OWASP. -- Johann I'm not from the internet, I just work there. ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
