Play with logger

> Published On September 30, 2016

> By hoangdoan


I found something interesting today. When working with Apache I notice that you cannot have multiple ErrorLog directives for writing error logs into multiple destination (CustomLog allow this).

For instance:

ErrorLog /path/file1.log
ErrorLog /path/file2.log
ErrorLog /path/file3.log

In the above config, only third ErrorLog directive working, this mean error logs only write to /path/file3.log

But in many cases you would like to store logs in different locations on system (for instance centre logging with Syslog). Some articles I found on the internet show us the way to got this is pipe logs to a program, something like this:

ErrorLog  "|$ /usr/bin/tee -a /var/log/httpd/example.com-error_log | /usr/bin/logger -t httpd-error -p local1.error"

This tell Apache pipe output logs into:

(1) /usr/bin/tee append to a file
(2) /usr/bin/logger send to Syslog

Look at (2), by default logger split input messages into segments with 1KB of length (1024 characters) (http://man7.org/linux/man-pages/man1/logger.1.html), for instance with the following message:

[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] aaaa.......aaaaaa

with length = 1100 characters, where “aaa….aaa” is some user input within client request, you will get 2 lines forward to syslog by logger

[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] aaaa.......aaaaaa
aaaa.......aaaaaa

the first line has length = 1024, the second line is (1100 – 1024) = 76

Think about this, when you can control “aaaa…..aaaa” and change to something like below (length = 4096 - length of string ([Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69]))

aaaa.......aaaaaa[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] bbbb.......bbbbbb[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] cccc.......cccccc[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] dddd.......dddddd

This message will be splitted into 4 logs by /usr/bin/logger and Syslog just think we have 4 logs :D

[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] aaaa.......aaaaaa
[Fri Sep 30 09:56:02 2016] [error] [client 11.223.31.14] bbbb.......bbbbbb
[Fri Sep 30 09:56:02 2016] [error] [client 92.69.169.16] cccc.......cccccc
[Fri Sep 30 09:56:02 2016] [error] [client 122.69.54.59] dddd.......dddddd

In some situations, an attacker can abuse this to generate enough noise to make the Log Analysis Systems hard to detect the real hacking attack vector, covering tracks.


Tags: sysadmin hacking trick security logging

Comments:

comments powered by Disqus

© 2018 - Security Researchers Team. All rights reserved
Built using Jekyll