| Name |
String Format Overflow in syslog() |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted. |
| Prerequisites |
The format string argument of the Syslog function can be tainted with user supplied data. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The attacker finds that they can inject data to the format string parameter of Syslog(). |
|
| 2 |
Exploit |
The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can execute arbitrary code and do more damage. |
|
|
| Solutions | The following code shows a vulnerable usage of Syslog():
syslog(LOG_ERR, cmdBuf);
// the buffer cmdBuff is taking user supplied data. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-134 |
Use of Externally-Controlled Format String |
| CWE-680 |
Integer Overflow to Buffer Overflow |
| CWE-697 |
Incorrect Comparison |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
|
| Taxonomy: WASC |
|
Entry ID
|
Entry Name
|
| 06 |
Format String |
|