SQL Injection Vulnerability in rsyslogd
An SQL injection vulnerability was found in all rsyslog releases prior to the ones announced on 2005-09-23. An attacker can send a specifically-crafted syslog message to rsyslogd and potentially take ownership of the machine.
This can be locally exploited if rsyslogd is listening on the local socket. Wes assume it is doing this in almost all cases. It can also be exploited remotely if rsyslogd is listening on network sockets and the attacker is not blocked from sending messages to rsyslogd (e.g. if not blocked by firewalling).
The vulnerability can potentially be used to take full ownership of the computer a compromised rsyslog is running on. The extend of the compromise is depending on the permissions of the user used to connect to MySQL.
We do not know of any case where this was exploited in practice. The bug was discovered during security-testing rsyslogd.
As of this writing, fixed versions exist both for the stable and the development branch. They are named 1.0.1 and 1.10.1. They can be obtained via the following links:
For 1.0.1 stable:
http://www.rsyslog.com/Downloads-index-req-getit-lid-17.phtml
For 1.10.1 development:
http://www.rsyslog.com/Downloads-index-req-getit-lid-18.phtml
As this is a serious vulnerability, we urge all users to update to the fixed version as soon as possible.
If you have turned on NO_BACKSLASH_ESCAPES in MySQL, you MUST make changes to your configuration file. Read DETAILS below to learn more. Continue reading “SQL Injection Vulnerability in rsyslogd”