Play with logger

I found something interesting today. When working with Apache I notice that you cannot have multiple ErrorLog directives for writing error logs into multiple destination (CustomLog allow this).
For instance:
ErrorLog /path/file1.log
ErrorLog /path/file2.log
ErrorLog /path/file3.log
In the above config, only third ErrorLog directive working, this mean error logs only write to /path/file3.log
But in many cases you would like to store logs in different locations on system (for instance centre logging with Syslog). Some articles I found on the internet show us the way to got this is pipe logs to a program, something like this:
ErrorLog  "|$ /usr/bin/tee -a /var/log/httpd/example.com-error_log | /usr/bin/logger -t httpd-error -p local1.error"
This tell Apache pipe output logs into:
(1) /usr/bin/tee append to a file
(2) /usr/bin/logger send to Syslog
Look at (2), by default logger split input messages into segments with 1KB of length (1024 characters) (http://man7.org/linux/man-pages/man1/logger.1.html), for instance with the following message:
[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] aaaa.......aaaaaa
with length = 1100 characters, where “aaa….aaa” is some user input within client request, you will get 2 lines forward to syslog by logger
[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] aaaa.......aaaaaa
aaaa.......aaaaaa
the first line has length = 1024, the second line is (1100 – 1024) = 76
Think about this, when you can control “aaaa…..aaaa” and change to something like below (length = 4096 - length of string ([Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69]))
aaaa.......aaaaaa[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] bbbb.......bbbbbb[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] cccc.......cccccc[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] dddd.......dddddd
This message will be splitted into 4 logs by /usr/bin/logger and Syslog just think we have 4 logs :D
[Fri Sep 30 09:56:02 2016] [error] [client 192.69.69.69] aaaa.......aaaaaa
[Fri Sep 30 09:56:02 2016] [error] [client 11.223.31.14] bbbb.......bbbbbb
[Fri Sep 30 09:56:02 2016] [error] [client 92.69.169.16] cccc.......cccccc
[Fri Sep 30 09:56:02 2016] [error] [client 122.69.54.59] dddd.......dddddd
In some situations, an attacker can abuse this to generate enough noise to make the Log Analysis Systems hard to detect the real hacking attack vector, covering tracks.

Nhận xét

Bài đăng phổ biến từ blog này

[Steganography] Kỹ thuật che dấu thông tin - Phần 2

[Steganography] Kỹ thuật che dấu thông tin - Phần 1

Forcing CRC-32 Attack