@lattera I was just reading your October 2021 Home Infra Status post, when I found this sentence:

> If any system was compromised, an attacker could theoretically pivot to other systems via carefully crafted malicious syslog messages. Would anyone do this? I doubt it.

I can tell you from experience: yes, they would. I've dealt with a case where an internal network was compromised via carefully crafted syslog messages and a bit of social engineering.


@lattera The way that attack worked was that the attacker gained knowledge of what tools are used to view the logs, found a vulnerability in some of those tools. So they engineered messages that would trigger the bug when processed, and exploit the vulnerability in the tool, and compromise _that_ system. They chained that into other attacks, and eventually gained shell access to the computer. They could attack other systems from there.


@lattera How did the attacker gain knowledge of the tools used? They asked. At a conference, during Q&A of a talk about infrastructure. A perfectly valid, good question. They then just needed to know if it was a vulnerable version. So they asked about distros too, how up-to-date one should stay. LTS or Stable or roll your own?


@aphyr @algernon @lattera

The tools I use to view logfiles are primarily less and tail -f

If more is needed, sed, awk or perl

· · Web · 2 · 0 · 0

@hhardy01 @aphyr @lattera That works for a while. I found that these tools aren't adequate when I'm looking at a huge volume of logs, from many different applications & nodes, in very different formats. I kinda want something that normalizes logs, and finds relations. Something that can chain together a series of related logs, from N systems and M services. And once you start _processing_ logs automatically, for analysis or stats, or whatever, that's another attack surface.

@algernon @aphyr @lattera

How did a tool for looking at log files allow elevated access to change things?

Or were they using information gleaned from reading the logs to enable some other form of attack?

@hhardy01 @aphyr @lattera I am not at liberty to disclose the full details, so apologies, but I'll have to be a bit vague.

The problematic log message corrupted the state of the processing tool, which led to subsequent log messages being inappropriately processed. That eventually led to the attacker gaining more information, and also the following log messages (which would've made discovery a _lot_ easier) effectively disappear from sight.

@algernon @aphyr @lattera

I understand.

I can't tell most of my best computer security stories to anyone, evah. lol.

Such is the life.

@algernon @aphyr @lattera

Sing along now

Nagios and cacti and tripwire and chrootkit
jfs and airgaps and OPIE and chroot
SNORT and ACID and SAR accounting
Secure policy servers that rule all the things
These are a few of my favorite things!

When the eggdrop bites
When the DDOS stings
When I'm feeling sad
I simply install all my favorite things
And then things don't look
So bad!

May be sung to the tune of:
My Favorite Things


@hhardy01 @aphyr @algernon

Unfortunately, using less and tail can still be problematic due to terminal escape codes.

It's possible to use only terminal escape codes to pop a shell in someone's terminal emulator.

Here's a good article on terminal escape injection attacks: infosecmatter.com/terminal-esc

Sign in to participate in the conversation

The original server operated by the Mastodon gGmbH non-profit