In src/analysisd/cleanevent.c the ossec-analysisd's OS_CleanMSG function handles the location portion of a message differently when the first character after a 2 digit ID is (, indicating it came from a remote agent via ossec-remoted.
When remote agent locations are processed OS_CleanMSG tries to null terminate the received location substring of the overall log message to store in lf->location by advancing past the -> in the string to the first : character:
Unfortunately the nesting of strstr as the first argument to strchr on L48 doesn't account for the possibility of a location string that starts with ( but doesn't contain a ->.
E.g. processing the msg 00:(: will result in the strstr returning NULL, meaning the strchr call will be strchr(NULL, ":") and a segfault will occur.
This code was introduced in 95cd0c9 on Nov 13, 2013. I believe it affects OSSEC 2.7+.
It seems that in all cases ossec-remoted will always write a well-formed location into the message it writes to the ossec UNIX domain socket queue because it uses SendMSG and populates the locmsg unconditionally:
I believe that means the only way this is triggerable is with direct write access to the socket, and probably makes the exploitability very low.
One possible fix (edit: implemented in #1823) is to separate the strstr and return an error when it returns NULL before performing the subsequent strchr with the result pointer.
The text was updated successfully, but these errors were encountered:
In
src/analysisd/cleanevent.ctheossec-analysisd'sOS_CleanMSGfunction handles the location portion of a message differently when the first character after a 2 digit ID is(, indicating it came from a remote agent viaossec-remoted.When remote agent locations are processed
OS_CleanMSGtries to null terminate the received location substring of the overall log message to store inlf->locationby advancing past the->in the string to the first:character:ossec-hids/src/analysisd/cleanevent.c
Lines 45 to 59 in abb36d4
Unfortunately the nesting of
strstras the first argument tostrchron L48 doesn't account for the possibility of a location string that starts with(but doesn't contain a->.E.g. processing the msg
00:(:will result in thestrstrreturning NULL, meaning thestrchrcall will bestrchr(NULL, ":")and a segfault will occur.This code was introduced in 95cd0c9 on Nov 13, 2013. I believe it affects OSSEC 2.7+.
It seems that in all cases
ossec-remotedwill always write a well-formed location into the message it writes to theossecUNIX domain socket queue because it usesSendMSGand populates thelocmsgunconditionally:ossec-hids/src/remoted/secure.c
Lines 187 to 190 in abb36d4
ossec-hids/src/shared/mq_op.c
Line 85 in abb36d4
I believe that means the only way this is triggerable is with direct write access to the socket, and probably makes the exploitability very low.
One possible fix (edit: implemented in #1823) is to separate the
strstrand return an error when it returnsNULLbefore performing the subsequentstrchrwith the result pointer.The text was updated successfully, but these errors were encountered: