发布时间 :2000-11-14 00:00:00
修订时间 :2018-05-02 21:29:08

[原文]Kernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages.


        Linux的Kernel logging daemon (klogd)不正确清除user-injected格式化字符串,本地用户可以利用该漏洞通过触发畸形内核消息获取根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:6.0MandrakeSoft Mandrake Linux 6.0
cpe:/o:mandrakesoft:mandrake_linux:6.1MandrakeSoft Mandrake Linux 6.1
cpe:/o:mandrakesoft:mandrake_linux:7.0MandrakeSoft Mandrake Linux 7.0
cpe:/o:mandrakesoft:mandrake_linux:7.1MandrakeSoft Mandrake Linux 7.1
cpe:/o:redhat:linux:5.2Red Hat Linux 5.2
cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:trustix:secure_linux:1.1Trustix Secure Linux 1.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000917 klogd format bug
(UNKNOWN)  BUGTRAQ  20000918 Conectiva Linux Security Announcement - sysklogd
(UNKNOWN)  SUSE  20000920 syslogd + klogd format string parsing error
(UNKNOWN)  XF  klogd-format-string(5259)

- 漏洞信息

高危 格式化字符串
2000-11-14 00:00:00 2005-05-02 00:00:00
        Linux的Kernel logging daemon (klogd)不正确清除user-injected格式化字符串,本地用户可以利用该漏洞通过触发畸形内核消息获取根权限。

- 公告与补丁

        Several vendors have provided package upgrades for this issue. Please see the references for details.

- 漏洞信息

klogd Malformed Kernel Message Format String
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Linux kernel klogd contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user passes a buffer containing '%' characters between pairs of '[<' and '>]' delimiters directly to the syslog() function, causing klogd to crash with a segmentation fault. This flaw may lead to a loss of Integrity.

- 时间线

2000-09-17 2000-09-17
2000-09-17 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, most linux vendors have released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Linux Vendor klogd Vulnerability
Input Validation Error 1694
Yes Yes
2000-09-13 12:00:00 2007-07-12 11:27:00
This vulnerability was first reported to Bugtraq in a message posted on September 18, 2000 by Jouko Pynnönen <>.

- 受影响的程序版本

Wirex Immunix OS 6.2
Turbolinux Turbolinux 6.0.4
Turbolinux Turbolinux 6.0.3
Turbolinux Turbolinux 6.0.2
Turbolinux Turbolinux 6.0.1
Turbolinux Turbolinux 6.0
Turbolinux Turbolinux 4.4
Trustix Trustix Secure Linux 1.1
Trustix Trustix Secure Linux 1.0
Slackware Linux 7.1
Slackware Linux 7.0
Slackware Linux 4.0
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.0
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
RedHat Linux 6.2 E sparc
RedHat Linux 6.2 E i386
RedHat Linux 6.2 E alpha
RedHat Linux 6.2 sparc
RedHat Linux 6.2 i386
RedHat Linux 6.2 alpha
RedHat Linux 6.1 sparc
RedHat Linux 6.1 i386
RedHat Linux 6.1 alpha
RedHat Linux 6.0 sparc
RedHat Linux 6.0 alpha
RedHat Linux 6.0
RedHat Linux 5.2 sparc
RedHat Linux 5.2 i386
RedHat Linux 5.2 alpha
Mandriva Linux Mandrake 7.1
Mandriva Linux Mandrake 7.0
Mandriva Linux Mandrake 6.1
Mandriva Linux Mandrake 6.0
Debian Linux 2.3 sparc
Debian Linux 2.3 powerpc
Debian Linux 2.3 alpha
Debian Linux 2.3
Debian Linux 2.2 pre potato
Debian Linux 2.2 sparc
Debian Linux 2.2 powerpc
Debian Linux 2.2 arm
Debian Linux 2.2 alpha
Debian Linux 2.2
Corel Linux OS 1.0
Conectiva Linux 5.1
Conectiva Linux 5.0
Conectiva Linux 4.2
Conectiva Linux 4.1
Conectiva Linux 4.0 es
Conectiva Linux 4.0

- 漏洞讨论

The 'klogd' program is a Linux system daemon that receives messages from the kernel and sends them to 'syslogd' to be recorded in a log file. A format-string vulnerability in 'klogd' allows attackers to gain root access locally and in certain exceptional cases remotely. The problem occurs as a result of passing a buffer containing user input directly to the 'syslog()' function. This occurs on lines 680 and 707 of the file 'klogd.c' in the 'LogLine()' function:

Syslog( LOG_INFO, line_buff );

The notation '[<address>]' is used in kernel message strings to supply kernel addresses that are translated into symbol names by 'klogd'. Although the 'LogLine() 'function escapes instances of the '%' character to avoid format-string problems, this processing does not occur between pairs of '[<' and '>]' delimiters. So, for example, if an attacker can cause the kernel to generate a message containing '[<%s %s %s %s>]', then klogd will crash with a segmentation fault. Exploiting this vulnerability depends on the attacker being able to use a device, module, or system call to generate kernel messages containing arbitrary attacker-specified strings.

- 漏洞利用

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

Several vendors have provided package upgrades for this issue. Please see the references for details.

- 相关参考