Home > CAPEC List > CAPEC-67: String Format Overflow in syslog() (Version 2.6)  

CAPEC-67: String Format Overflow in syslog()

 
String Format Overflow in syslog()
Definition in a New Window Definition in a New Window
Attack Pattern ID: 67
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

+ Attack Execution Flow
Explore
  1. The attacker finds that he can inject data to the format string parameter of Syslog().

Exploit
  1. The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can execute arbitrary code and do more damage.

+ Attack Prerequisites
  • The format string argument of the Syslog function can be tainted with user supplied data.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication.

Related Vulnerabilities

+ Probing Techniques

If the source code of the application is available, an attacker can use static analysis tools to spot a syslog vulnerability (a simple grep may also work).

If the source code is not available, automated tools such as Fuzzer and advanced Web Scanner can be used. If the tool supplied data reaches the syslog's format string argument, the application under scrutiny may have unexpected behavior.

If the source code is not available, a more complex technique involve the use of library and system call tracer combined with the use of binary auditing tool such as IDA Pro. Reverse Engineering technique can be used to find format string vulnerability in the syslog function call. For instance it is possible to get the address of the buffer that is later used as the format string when reading data

+ Solutions and Mitigations

The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():

(Good Code)
 
syslog(LOG_ERR, "%s", cmdBuf);

The following code shows a vulnerable usage of Syslog():

(Bad Code)
 
syslog(LOG_ERR, cmdBuf);
// the buffer cmdBuff is taking user supplied data.
+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Availability
DoS: crash / exit / restart
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify memory
+ Injection Vector

Untrusted user supplied data is the injection vector.

+ Payload

The maliciously crafted data can read from the stack if passed to the Syslog function as a format String.

+ Activation Zone

The signature of the syslog function is as following:

void syslog(int priority, const char *format, ...);

A vulnerable usage would be:

(Bad Code)
 
syslog(LOG_ERR, cmdBuf);

where cmdBuf is a user controlled data which leads to a format string vulnerability. The activation zone is the format String argument which accepts user supplied data.

+ Payload Activation Impact

The impacts of this attack can be execution of arbitrary code. Execution of arbitrary code can lead to many problems such as corruption of data, unauthorized access, etc.

+ Relevant Security Requirements

Choose a language which is not subject to this flaw.

Do not use the Syslog() in your implementation.

Use manual or automated code review to spot potential format string vulnerability in functions such as Syslog(), Vsyslog(), snprintf(), etc.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
C
C++
+ References
[R.67.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.67.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
[R.67.3] scut and team teso. "Exploiting Format String Vulnerabilities". <http://doc.bughunter.net/format-string/exploit-fs.html>.
[R.67.4] Halvar Flake. "Auditing binaries for security vulnerabilities". <http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt>.
[R.67.5] "Fortify Taxonomy of Vulnerabilities". Fortify Software. <http://vulncat.fortifysoftware.com/1/FS.html>.
[R.67.6] "Syslog man page". <http://www.rt.com/man/syslog.3.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated: December 04, 2014