New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
terminal escape sequences injection #1138
Comments
Can you please check again with the currently supported version of rsyslog (8.21.0). As far as I can see, this should be fixed since quite a while. |
After the update to rsyslog 8.21.0 everything was working correctly. Shouldn't it be working for the older version I had though? Thanks! |
@saken27 Using latest version it's always recommended, provided a repo to get all packages you may use, and without having new bugs. Also, if I'm not wrong, fedora 20 EOL is next December... |
This risk is there any time you are accepting input from untrusted sources and
then processing it.
Rsyslog has the option to escape control characters in the message, which turns
these (potentially) harmful character sequences into #000 followed by other
stuff.
It's possible that your distro is disabling this escaping by default.
David Lang
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
It seems to me that it is possible to inject terminal escape sequences into log files via
syslog(3)
tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [_GPE._L10](Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI Exception: AE_NOT_FOUND, while evaluating GPE
method _L10
$ logger
printf 'HELLO\n\033[2AAAAAAAAAAAAAA\033[2B'
tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [_GPE._L10](Node ffff88017b0e47d0), AE_NOT_FOUND (20141107/psparse-536)
(*) Aug 23 13:50:33 ghetto kernel: ACPI AAAAAAAAAAAAA_NOT_FOUND, while evaluating GPE
method _L10
Aug 23 13:50:39 ghetto saken: HELLO
On the (*) line, the escape sequence changed its contents, meaning that an unprivileged
user can take advantage of this to hide their presence on the system by changing
legitimate logs, modify a window's title, change background and foreground color, etc.
While researching this, I found that rsyslogd has "$EscapeControlCharactersOnReceive"
which claims that is on by default and that "The intent is to provide a way to stop
non-printable messages from entering the syslog system as whole."
On my system, this does not seem to be true, and actually went ahead and added
"$EscapeControlCharactersOnReceive on" to the /etc/rsyslog.conf file, restarted rsyslog
and the problem still persists.
I am using rsyslogd 7.4.8
Thanks,
Federico Bento.
The text was updated successfully, but these errors were encountered: