terminal escape sequences injection

[saken27]

It seems to me that it is possible to inject terminal escape sequences into log files via
syslog(3)

tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [_GPE._L10](Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE
method _L10

$ logger printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'

tail -f /var/log/messages

Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [_GPE._L10](Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while evaluating GPE
method _L10
Aug 23 13:50:39 ghetto saken: HELLO

On the (*) line, the escape sequence changed its contents, meaning that an unprivileged
user can take advantage of this to hide their presence on the system by changing
legitimate logs, modify a window's title, change background and foreground color, etc.

While researching this, I found that rsyslogd has "$EscapeControlCharactersOnReceive"
which claims that is on by default and that "The intent is to provide a way to stop
non-printable messages from entering the syslog system as whole."

On my system, this does not seem to be true, and actually went ahead and added
"$EscapeControlCharactersOnReceive on" to the /etc/rsyslog.conf file, restarted rsyslog
and the problem still persists.

I am using rsyslogd 7.4.8

Thanks,
Federico Bento.

[rgerhards]

Can you please check again with the currently supported version of rsyslog (8.21.0). As far as I can see, this should be fixed since quite a while.

[saken27]

After the update to rsyslog 8.21.0 everything was working correctly.

Shouldn't it be working for the older version I had though?
Pretty sure it's the default version of Fedora 20, at least.

Thanks!

[mostolog]

@saken27 Using latest version it's always recommended, provided a repo to get all packages you may use, and without having new bugs.

Also, if I'm not wrong, fedora 20 EOL is next December...

[davidelang]

This risk is there any time you are accepting input from untrusted sources and then processing it. Rsyslog has the option to escape control characters in the message, which turns these (potentially) harmful character sequences into #000 followed by other stuff. It's possible that your distro is disabling this escaping by default. David Lang

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.