[Logcheck-devel] Bug#336265: logrotate detection, possible attack not checked by logcheck

TsT tst at letsgozik.com
Sat Oct 29 01:10:51 UTC 2005 

Package: logcheck
Version: 1.2.41

Problem: Logcheck try to detect if log file have been rotate or not by file size way.


Possible attack:

- current log file (sizeA)
- run logcheck, (logcheck/logtail put inode in offsetfile), offset=sizeA
- [attacker run attack 1]
- run logrotate
- [attacker run attack 2]
- run logcheck may don't detect the rotation and don't check the log for attack 1 duration.

attack 1 : The real attack, this attack log will not be checked by logcheck if attack 2 run succesfully.
attack 2 Goal : Growing the log file more than possible, if his size become more than last checked offset.



The problem is here line 397

395:    offsetfile="$STATEDIR/offset$(echo $file | tr / .)"
396:    if [ -s "$offsetfile" -a -r "$offsetfile" ]; then
397:        if [[ $(wc -c < "$file") -lt $(tail -n 1  "$offsetfile") ]]; then
398:            # assume the log is rotated by savelog(8)
399:            # syslog-ng leaves old files here
400:            if [ -e "$file.0" -a "$file.0" -nt "$file.1.gz" ]; then
401:                debug "Running logtail on rotated: $file.0"
402:                $LOGTAIL -f "$file.0" -o "$offsetfile" $LOGTAIL_OPTS > \
403:                    $TMPDIR/logoutput/$(basename "$file") 2>&1 \
404:                    || error "Could not run logtail or save output"
405:                rm -f "$offsetfile" \
406:                    || error "Could not remove $offsetfile"
407:            # assume the log is rotated by logrotate(8)
408:            # should also probably check if file is still fresh
409:            elif [ -e "$file.1" ]; then
410:                debug "Running logtail on rotated: $file.1"
411:                $LOGTAIL -f "$file.1" -o "$offsetfile" $LOGTAIL_OPTS > \
412:                    $TMPDIR/logoutput/$(basename "$file") 2>&1 \
413:                    || error "Could not run logtail or save output"
414:                rm -f "$offsetfile" \
415:                    || error "Could not remove $offsetfile"
416:            fi
417:        fi


My proposed Fix:

-	if [[ $(wc -c < "$file") -lt $(tail -n 1  "$offsetfile") ]]; then

+	INODEOFFSET=$(head -n 1 < $offsetfile)
+	#INODEFILE=$(ls -id $file) ;# not run with symlink.
+	INODEFILE=$(find $file -follow -printf "%i")
+	if [[ $INODEFILE -eq $INODEOFFSET ]]; then


This problem seems like to bug #195935.

Best Regards,

TsT
-- 
www.letsgozik.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051029/495b01be/attachment.pgp

More information about the Logcheck-devel mailing list