Product SiteDocumentation Site

3.3.1. Logging

Logging is another surprising attack vector for the attackers. Logs are used to collect information about the state of the system, used by administrators in decisions about the system configuration and, in case of machine compromise, post hoc analysis. In both cases it is important that logs contain correct and accurate information. To achieve this, application developers tend to log various inputs to the application, which helps with debugging the problems, but creates opportunity for the attacker to forge logs.
Prerequisite for log forging is pasting potentiall untrusted unescaped input directly into logs as part of the logged message. Ability to include special characters such as newline is often enough to create false log messages. Example of this kind of vulnerability is CVE-2014-0136 CFME: AgentController get/log application log forging. The vulnerable part of code was
$log.info "MIQ(agent-get): Request agent update for Proxy id [#{params[:id]}]"
The application logged the ID of proxy that was requested as-is, taken from the parameters supplied by the client. If the ID parameter looked like this ("%0A" is percent encoded line feed)
1%0AMIQ(agent-get): Agent shutdown
then logs would contain two messages, one logged by the agent, one specified by the attacker:
MIQ(agent-get): Request agent update for Proxy id 1
MIQ(agent-get): Agent shutdown
This example is simplified by omitting details like timestamps from logs, which are not secret and attacker would be able to spoof them, too.
Perhaps slightly surprising consequence of logging unescaped characters is the potential to "delete" or "modify" the existing log messages, using backspace control character. Of course, the existing log messages would be intact, but the backspace control characters would alter existing messages when viewed in text editor. If the ID parameter contained backspace characters:
%08%08%08%08%08%08%08%08%08Server id 7
so the log stored on disk would contain
MIQ(agent-get): Request agent update for Proxy id %08%08%08%08%08%08%08%08%08Server id 7
If this log was opened in text viewer, such as lsess, control sequences would be interpreted and the administrator would see
MIQ(agent-get): Request agent update for Server id 7

Important

Always make sure potentially untrusted input is escaped before being logged and make sure user supplied input is quickly recognizable and cannot be confused with data such as logged messages, timestamps etc.