exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rsyslog ElasticSearch Memory Corruption

rsyslog ElasticSearch Memory Corruption
Posted Jul 5, 2013
Authored by Markus Vervier, Marius Ionescu | Site lsexperts.de

rsyslog ElasticSearch plugin suffers from a double free memory corruption. rsyslog versions 7.4.0 stable through 7.4.1 stable and 7.3.2 devel through 7.5.1 devel are affected.

tags | advisory
advisories | CVE-2013-4758
SHA-256 | c9b79425a99d604dd1c1d69b803474783b1a91144c92fa3d3e6e0ef941f7e904

rsyslog ElasticSearch Memory Corruption

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 ===

rsyslog ElasticSearch Plugin - Double Free Memory Corruption
- ------------------------------------------------------------

Affected Version
================
rsyslog 7.4.0 stable <= 7.4.1 stable
rsyslog 7.3.2 devel <= 7.5.1 devel

Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards
Credits: LSE Leading Security Experts GmbH employee Markus Vervier and
Marius Ionescu
Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt
Advisory Status: Public
CVE-Number: CVE-2013-4758

Problem Impact
==============
While conducting a code review, a double free memory corruption
vulnerability was discovered in the ElasticSearch plugin of rsyslog.
This could allow a remote attacker to crash rsyslog and possibly
execute code if he can manipulate JSON responses from ElasticSearch.

Problem Description
===================
A double free memory corruption exists in all implementations of the
rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel
having the "errorfile" parameter explicitly set for local logging.
The variable "rendered" in function writeDataError of
omelasticsearch.c is freed twice. This allows heap corruption and
possible code execution if an attacker is able to control memory
between subsequent calls to free.

Temporary Workaround and Fix
============================
It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as
soon as possible.

As a workaround the "errorfile" configuration parameter should be
disabled, as is the default in rsyslog.

History
=======
2013-06-27 Problem discovery during code review at customer
2013-07-03 Original vendor contacted
2013-07-03 Vulnerability confirmed by vendor
2013-07-03 Fix released
2013-07-04 CVE-2013-4758 assigned
2013-07-05 Coordinated advisory release
- --
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBAgAGBQJR1m7aAAoJEDgSCSGZ4yd8qAcQAJlG0E7t2jnqXvxS3QUCgyF9
lMuADOj7/wbNw/oetbBLukzh9OXOKB2q2QLney6XosZOMh7/dfSXuOdJsaEufutS
5BFGHUOglixACmqju3ZcWvWYsKYrtnKyy+/GJvXR3fZjP7Jf6UEHeBlffEwYhqEe
kjA/ha5EHeljehHbqc+zm+O8iSVte40dJD87/D76UwzI6cMG6eFbFRgDYxaFSGh6
0JMdBA0PqkkkF9fdrlJ00VYrPU41RUMPeiv23OyIiQgWvAbWV8RMkTetkVaqxCys
ms8/s8+FlA4xBKZPiHB64i7oznKHV1AeqXjCm9AahXxCg1NWQx/DkShTZd/zWg30
uI8+2NIb/YMyPrdth44+ucpjcF1v76G3c/WBSBniIXPwUvzHTxD0DHBYX6g0i2Jr
HvtD1kZaWUjk/ofD52CZ1pcUIsqyiO6hoS1vYA83EiC9KW/Yp2lrf/apoE5VgdJ8
jN4JTSU7NEIKY/S+GDFBUDqpnIJeG+VHVC2dmWa+fSfRqx5Wlk9YwE0K0KI/BU+D
MrmzwO4/Fx0EdxhKxOaMAJTVAas2paW07ewrXKTRCja2mAZLaK3eeuKfdwvqVa4J
SwBNnbyPPoY9H8fjx9J8rrYirfZnQ4UKiV7cgOfaXG+ZfFzaS/iZZ3i+USdMJtDS
fwuOw+xvnSrruDiP1Dho
=HJxe
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close