Bug#729658: DoS when telneting to the remote port

Fri, 15 Nov 2013 03:51:34 -0800 

Package: rsyslog-gssapi
Version: 5.8.11-3
Severity: critical
tags: security

Hi,
I can DoS rsyslog with a simple telnet connect:

rsyslog-gssapi configuration on foo.example.com is:

    $ModLoad imgssapi
    $InputGSSServerRun 1514

Now when telnetting to port 1514 and simply waiting for the
timeout like:

    # telnet foo.example.com 1514
    Connected to foo.example.com
    Escape character is '^]'.
    Connection closed by foreign host.

/var/log/syslog on foo.example.com has:

Nov 15 12:28:47 foo rsyslogd: TCP session 0x2550730 will be closed, error 
ignored

and rsyslogd crashes like:

5487.317324670:7ff49169d700: poll returned with i 1, pUsr 0xf106f0
5487.317388061:7ff49169d700: New connect on NSD 0xf269d0.
5487.319769985:7ff49169d700: GSS-API Trying to accept TCP session 0xf06760
5488.321087177:7ff49169d700: Called LogError, msg: TCP session 0xf06760 will be 
closed, error ignored
5488.321207329:7ff49169d700: main Q: entry added, size now log 1, phys 1 entries
5488.321250988:7ff49169d700: main Q: EnqueueMsg advised worker start
5488.321378952:7ff492ea0700: wti 0xf54e10: worker awoke from idle processing
Segmentation fault (core dumped)

The bt is not very helpful though:

Core was generated by `/usr/sbin/rsyslogd -d -n'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007ff4936b5428 in ?? () from /usr/lib/rsyslog/lmtcpsrv.so
(gdb) bt
#0  0x00007ff4936b5428 in ?? () from /usr/lib/rsyslog/lmtcpsrv.so
#1  0x000000000043ae66 in ?? ()
#2  0x00007ff496056b50 in start_thread () from 
/lib/x86_64-linux-gnu/libpthread.so.0
#3  0x00007ff495994a7d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x0000000000000000 in ?? ()

Since this make rsyslog-gssapi insecure on any public network I've
flagged it as critical/security.
Cheers,
 -- Guido

-- System Information:
Debian Release: jessie/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing'), (50, 'unstable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to