What is log injection?

  • 655
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    656
    Shares

Developers need to consider the risk of reading and writing application logs if they’re not sanitizing and validating input before it reaches the log. Logs that are susceptible to injection may have been compromised by a malicious user to cover the tracks of a successful attack with misleading entries. This is also known as a repudiation attack.

An application that does not securely log users’ actions may be vulnerable to users disclaiming an action. Imagine an application that logs requests in this format:
Date, Time, Username, ID, Source IP, Request

The parameters come directly from the request with no input validation:
Cookie: PHPSESSID=pltmp1obqfig09bs9gfeersju3; username=sdr; id=Justin

An attacker may then modify the id parameter to fill the log with erroneous entries:
Cookie: PHPSESSID=pltmp1obqfig09bs9gfeersju3; username=sdr; id=\r\n [FAKE ENTRY]

On some platforms, if the log does not properly escape null bytes, the remainder of a string that should be logged may not be recorded. For instance:
Cookie: PHPSESSID=pltmp1obqfig09bs9gfeersju3; username=sdr; id=%00

may result in that individual log entry stopping at the id field:
Date, Time, Username, …

A real-world example of log injection occurred with the popular SSHD monitoring tool DenyHosts. DenyHosts monitors SSH logs and dynamically blocks the source IP address of a connection that produces too many authentication failures. Version 2.6 is
vulnerable to a log injection attack that can lead to a denial of service (DoS) of the SSH service.

Because users are allowed to specify the username that gets logged, an attacker can specify any user he or she wants into the /etc/hosts.deny file, which controls access to SSH. By specifying all users, the attacker creates a complete lockdown of the SSH service on the machine, preventing any one outside the box from connecting.

All logs and monitoring systems should require strict validation to prevent an attack that truncates entries leading to information loss. The most serious type of log injection attacks would allow the system used to monitor the logs to be compromised, making incident response especially difficult if there is no evidence of what types of attacks were performed.

 

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Latest posts by Unallocated Author (see all)

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!