==========================================================================
syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE <= Information leak, access
                                           prevention and possible
                                           priviledge escalation

CVE-2011-0343
==========================================================================

1. OVERVIEW

Versions 3.0, 3.1 and 3.2 of syslog-ng Open Source Edition (OSE) and 
versions 3.0, 3.1 and 3.2 of syslog-ng Premium Edition (PE) create log
files 
with all permission bit set by default on FreeBSD and HP-UX
architectures. 
These permissions allow anybody with local access to read and write the
log 
files. The setuid and execution bits are also set, allowing the log
files to be 
executed.

2. BACKGROUND

The syslog-ng application is an enhanced version of the default Syslog
service 
found on FreeBSD and other UNIX and Unix-like operating systems. The
syslog-
ng application supports reliable and encrypted transport using TCP and
TLS, 
SQL support, and offers powerful message filtering, sorting,
pre-processing and 
log normalization capabilities. Utilizing message parsing and
classification, 
syslog-ng is able to correlate log messages both real-time and offline,
making 
it especially suited to implement the artificial ignorance principle. 

3. VULNERABILITY DESCRIPTION

This vulnerability affects only architectures where sizeof(mod_t) is not
equal to sizeof(int). Because of bad casts in the code and the internal 
representation of the ``use the default permission'' setting being -1,
this
number in the chmod call is interpreted as 07777. This means that the
permission 
of the file is readable, writable and executable to all, and the setuid,
setgid, 
and sticky bits are set. Everybody who can see the file can read it,
write it 
and even run it with root permission.

4. VERSIONS AFFECTED

The following table summarizes in which product versions is the
vulnerable code 
present and in which versions has it been corrected.

syslog-ng Open Source Edition (OSE):
Branch  Vulnerable from Fixed in
2.0.X   this branch is not vulnerable
3.0.X   3.0.7           3.0.10
3.1.X   3.1.3           3.1.4
3.2.X   3.2alpha1       3.2.2?

syslog-ng Premium Edition (PE):
Branch  Vulnerable from Fixed in
3.0.X   3.0.6           3.0.6a
3.1.X   this branch is not vulnerable
3.2.X   3.2.0           3.2.1a


5. PROOF-OF-CONCEPT/EXPLOIT

None. But it's easy to imagine.

6. IMPACT

This problem causes that every user can see, modify or destroy the log
messages directly and make it difficult to detect harmful operations.
With a 
small trick even (shell)code execution is possible with root
permissions, 
causing privilege escalation.

7. SOLUTION

Upgrade to a newer, unaffected version.
syslog-ng Open Source Edition (OSE):
3.0.X  3.0.10
3.1.X  3.1.4
3.2.X  3.2.2

syslog-ng Premium Edition (PE):
3.0.X  3.0.6a
3.2.X  3.2.1a

8. VENDOR

BalaBit IT Security Ltd.
http://www.balabit.com
Product page:
http://www.balabit.com/network-security/syslog-ng/

9. CREDIT

This vulnerability was discovered by Steven Chamberlain steven :at: pyro
dot eu dot org

10. DISCLOSURE TIME-LINE

2010-12-31: The problem reported to the debian bug tracking system
2010-12-31: notified vendor by the debian maintainer
2011-01-01: upstream proposed a fix
2011-01-02: freebsd port maintainer notified
2011-01-07: every linux port notified
2011-01-10: PE version 3.0.6a and 3.2.1a released
2011-01-14: OSE version 3.0.10 and 3.1.4 released
2011-01-16: OSE version 3.2.2 released

11. VENDOR RESPONSE

12. REFERENCES

Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608491
Debian security track:
http://security-tracker.debian.org/tracker/CVE-2011-0343
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.0.git;a=commit;h=17531d911d544687fb9c5bd3b130dd5bf7903db0
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=cbcea8c95c3f07ed9eaa4d12f124db8f8ca2f74b
upstream patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=96af7607873e126ecee0eb51a5fff46a920c5630
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000103.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000104.html
upstream announcement:
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000105.html
freebsd port:
http://www.freshports.org/commit.php?category=sysutils&port=syslog-ng3&files=yes&message_id=201101041550.p04Fov6n028317@repoman.freebsd.org

-- 
SZALAY Attila
Support (L3) Team Leader

e-mail: attila.szalay@balabit.com

BalaBit IT Security
www.balabit.com
H-1115 Bártfai str. 54. Budapest

This Communication is Confidential. We only send and receive email on
the basis of the terms set out at http://www.balabit.com/disclaimer/.