Log injection in general
Andrew Bartlett
abartlet at samba.org
Wed Jan 17 09:23:40 UTC 2018
On Wed, 2018-01-17 at 10:14 +0100, Volker Lendecke wrote:
> On Wed, Jan 17, 2018 at 09:33:59PM +1300, Andrew Bartlett via samba-technical wrote:
> > In the context of DEBUG(), the attack is described here:
> >
> > https://www.owasp.org/index.php/Log_Injection
> >
> > For that reason, we took care to write and use log_escape() in the auth
> > audit code. It is declared here:
> >
> > lib/util/util_str_escape.c:char *log_escape(TALLOC_CTX *frame, const
> > char *in)
> >
> > The list of 'bad' characters could potentially be extended.
> >
> > I don't know and didn't assert that printf("%s", untrusted) is itself
> > unsafe, beyond the above I would see the main risk as being a SIGSEGV
> > if the attacker can control the NUL termination.
>
> Doing that manually is the wrong layer. We should do that directly in
> DEBUG(). I know this essentially means writing our own printf, but
> relying on everybody to correcly escape what's going into
> %s is not going to work.
I wholeheartedly agree.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list