Developers need to consider the risk of reading and writing application logs if they’re not sanitizing and validating input before it reaches the log. Logs that are susceptible to injection may have been compromised by a malicious user to cover the tracks of a successful attack with misleading entries. This is also known as a repudiation attack.
An application that does not securely log users’ actions may be vulnerable to users disclaiming an action. Imagine an application that logs requests in this format:
Date, Time, Username, ID, Source IP, Request
The parameters come directly from the request with no input validation:
Cookie: PHPSESSID=pltmp1obqfig09bs9gfeersju3; username=sdr; id=Justin
An attacker may then modify the id parameter to fill the log with erroneous entries:
Cookie: PHPSESSID=pltmp1obqfig09bs9gfeersju3; username=sdr; id=\r\n [FAKE ENTRY]
On some platforms, if the log does not properly escape null bytes, the remainder of a string that should be logged may not be recorded. For instance:
Cookie: PHPSESSID=pltmp1obqfig09bs9gfeersju3; username=sdr; id=%00
may result in that individual log entry stopping at the id field:
Date, Time, Username, …
A real-world example of log injection occurred with the popular SSHD monitoring tool DenyHosts. DenyHosts monitors SSH logs and dynamically blocks the source IP address of a connection that produces too many authentication failures. Version 2.6 is
vulnerable to a log injection attack that can lead to a denial of service (DoS) of the SSH service.
Because users are allowed to specify the username that gets logged, an attacker can specify any user he or she wants into the /etc/hosts.deny file, which controls access to SSH. By specifying all users, the attacker creates a complete lockdown of the SSH service on the machine, preventing any one outside the box from connecting.
All logs and monitoring systems should require strict validation to prevent an attack that truncates entries leading to information loss. The most serious type of log injection attacks would allow the system used to monitor the logs to be compromised, making incident response especially difficult if there is no evidence of what types of attacks were performed.