Description
In src/analysisd/cleanevent.c the OS_CleanMSG function performs pattern matching and if applicable, tries to decode syslog messages to populate some lf structure fields according to the syslog data.
ossec-hids/src/analysisd/cleanevent.c
Lines 88 to 169 in abb36d4
When a message contains leading text matching the patterns expected for syslog, and contains a substring like "[ID xx facility.severity]" in the correct location OS_CleanMSG will attempt to remove it by advancing the lf->log pointer beyond the end of the substring:
ossec-hids/src/analysisd/cleanevent.c
Lines 327 to 345 in abb36d4
The code is careful about checking the result from strstr when advancing to the expected closing ], however it makes an assumption that there must be a non-null character following the ] when it subsequently advances the pieces pointer by 2:
ossec-hids/src/analysisd/cleanevent.c
Line 341 in abb36d4
If a message like "Oct 31 00:00:00 0 sshd: [ID 0 auth.notice]" is processed OS_CleanMSG will advance beyond the terminating null byte of lf->log, resulting in a heap overflow when operating on the lf->log pointer subsequently during decoding.
This code was introduced in 8672fa0 on Nov 18, 2006. I believe it affects OSSEC 2.7+.
This is triggerable via an authenticated client through the ossec-remoted. The client needs only write a message to the remote server of any queue type that will match the expected syslog format and authority substring, but end immediately after the ].
I think the best fix is to change the pieces pointer to be incremented by 1 instead of 2, or to update the strstr check for "[ " instead of just "[" (edit: implemented in #1824),.