Users login

Create an account »


Users login

Home » Hacking News » syslog-ng buffer overflow

syslog-ng buffer overflow

by Nikola Strahija on October 10th, 2002 Syslog-NG is a portable syslog implementation. Its highlights include regexp based log selection, TCP transport and more. For more information:

Zorp OS is a Debian GNU/Linux based operating system hardened for running
Zorp Professional modular application level firewall suite. Its core
framework allows the administrator to finetune proxy decisions (with its
built-in script language), and fully analyze complex protocols including
SSL embedded protocols.
For more information:


To make it easier to specify message destinations, syslog-ng supports
macros in destination filenames as the following log snippet shows:

destination d_messages_by_host {

The same syntax is used when specifying the contents of destination files:

destination d_special_messages {
file("/var/log/messages" template("$ISODATE $HOST $MSGn"));

The problem lies in the way macro expansion handles constant characters.
(ie everything other than macro references). As syslog-ng expands macros
it usesa buffer, and a variable called 'left', which contains the number of
characters available in the buffer. When a constant character is appended,
this variable is not decremented, thus when expanding macros incorrect
bounds checking is performed.


If templated filenames or templated output is used, it is possible to
overflow a buffer. The number of bytes exceeding the allocated buffer
depends on the exact template being used.

It is believed that this overflow can be exploited, given enough constant
characters are present in the template string.


Upgrade syslog-ng to 1.5.21 (devel) or 1.4.16 (stable) or apply the
following patch:

diff -u -r1.52 -r1.53
--- affile.c 21 Aug 2002 14:03:50 -0000 1.52
+++ affile.c 27 Sep 2002 09:11:33 -0000 1.53
@@ -859,7 +859,7 @@
char format[cfg->log_msg_size + 1], *format_ptr = format;
- int left = sizeof(format);
+ int left = sizeof(format) - 1;
int i, j;

i = 0;
@@ -888,6 +888,7 @@
*format_ptr = template->data[i];
+ left--;
*format_ptr = 0;



Höltzl Péter

BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint:
[email protected] | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »