[Bug 1618229] [NEW] rsyslogd terminal escape sequences injection

[Launchpad Bug Tracker]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Hi,

It seems to me that it is possible to inject terminal escape sequences into log files via 
syslog(3)

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] 
(Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE 
method [_L10] (20141107/evgpe-581)

$ logger `printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'`

# tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10] 
(Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while evaluating GPE 
method [_L10] (20141107/evgpe-581)
Aug 23 13:50:39 ghetto saken: HELLO


On the (*) line, the escape sequence changed its contents, meaning that an unprivileged 
user can take advantage of this to hide their presence on the system by changing 
legitimate logs, modify a window's title, change background and foreground color, etc.


While researching this, I found that rsyslogd has "$EscapeControlCharactersOnReceive" 
which claims that is on by default and that "The intent is to provide a way to stop 
non-printable messages from entering the syslog system as whole."

On my system, this does not seem to be true, and actually went ahead and added 
"$EscapeControlCharactersOnReceive on" to the /etc/rsyslog.conf file, restarted rsyslog 
and the problem still persists.

I am using rsyslogd 7.4.8

Thanks,
Federico Bento.

** Affects: rsyslog (Ubuntu)
     Importance: Undecided
         Status: New

-- 
rsyslogd terminal escape sequences injection
https://bugs.launchpad.net/bugs/1618229
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to rsyslog in Ubuntu.