I had a friend ask me over the weekend to show him how a particular vulnerability works. So I wrote up a little example program and figured I would put it up here as a reference. Its nothing too complex, but some people may not have scene it before as its a rather old class of exploit, and is not a simple buffer overflow. All the program does is record the first argument passed to syslog. So an example usage is ./logit “This will be logged”, then cat /var/log/syslog and you should see something to the extent of Mar 29 14:46:47 logfile[8956]: This will be logged, and if you run it with out any arguments it write nothing to log to syslog. A basic example of a programs logging functions.

#include <syslog.h> 
int main(int argc, char *argv[]) { 
	openlog("logfile", LOG_PID|LOG_CONS, LOG_USER); 
	if(argc < 2) { 
		syslog(LOG_INFO, "Nothing to Log"); 
	} else { 
		syslog(LOG_INFO, argv[1]); 
	} closelog(); 
	return 0; 

On friday I will do a quick write up of what the vulnerability is, how to exploit it, and how to fix it.