rsyslog Long Tag Off-By-Two DoS - Metasploit

This page contains detailed information about how to use the auxiliary/dos/syslog/rsyslog_long_tag metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: rsyslog Long Tag Off-By-Two DoS
Module: auxiliary/dos/syslog/rsyslog_long_tag
Source code: modules/auxiliary/dos/syslog/rsyslog_long_tag.rb
Disclosure date: 2011-09-01
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 514
List of CVEs: CVE-2011-3200

This module triggers an off-by-two overflow in the rsyslog daemon. This flaw is unlikely to yield code execution but is effective at shutting down a remote log daemon. This bug was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may prevent this bug from causing any noticeable result on many systems (RHEL6 is affected).

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

msf > use auxiliary/dos/syslog/rsyslog_long_tag
msf auxiliary(rsyslog_long_tag) > show targets
    ... a list of targets ...
msf auxiliary(rsyslog_long_tag) > set TARGET target-id
msf auxiliary(rsyslog_long_tag) > show options
    ... show and set options ...
msf auxiliary(rsyslog_long_tag) > exploit

Required Options

---

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage

---

Here is how the dos/syslog/rsyslog_long_tag auxiliary module looks in the msfconsole:

msf6 > use auxiliary/dos/syslog/rsyslog_long_tag

msf6 auxiliary(dos/syslog/rsyslog_long_tag) > show info

       Name: rsyslog Long Tag Off-By-Two DoS
     Module: auxiliary/dos/syslog/rsyslog_long_tag
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2011-09-01

Provided by:
  hdm <[email protected]>

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT   514              yes       The target port (UDP)

Description:
  This module triggers an off-by-two overflow in the rsyslog daemon. 
  This flaw is unlikely to yield code execution but is effective at 
  shutting down a remote log daemon. This bug was introduced in 
  version 4.6.0 and corrected in 4.6.8/5.8.5. Compiler differences may 
  prevent this bug from causing any noticeable result on many systems 
  (RHEL6 is affected).

References:
  https://nvd.nist.gov/vuln/detail/CVE-2011-3200
  http://www.rsyslog.com/potential-dos-with-malformed-tag/
  https://bugzilla.redhat.com/show_bug.cgi?id=727644

Module Options

---

This is a complete list of options available in the dos/syslog/rsyslog_long_tag auxiliary module:

msf6 auxiliary(dos/syslog/rsyslog_long_tag) > show options

Module options (auxiliary/dos/syslog/rsyslog_long_tag):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   514              yes       The target port (UDP)

Advanced Options

---

Here is a complete list of advanced options supported by the dos/syslog/rsyslog_long_tag auxiliary module:

msf6 auxiliary(dos/syslog/rsyslog_long_tag) > show advanced

Module advanced options (auxiliary/dos/syslog/rsyslog_long_tag):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHOST                       no        The local client address
   CPORT                       no        The local client port
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the dos/syslog/rsyslog_long_tag module can do:

msf6 auxiliary(dos/syslog/rsyslog_long_tag) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the dos/syslog/rsyslog_long_tag auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(dos/syslog/rsyslog_long_tag) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Related Pull Requests

---

• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #2525 Merged Pull Request: Change module boilerplate
• #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary

References

---

• CVE-2011-3200
• http://www.rsyslog.com/potential-dos-with-malformed-tag/
• https://bugzilla.redhat.com/show_bug.cgi?id=727644

See Also

---

Check also the following modules related to this module:

• auxiliary/admin/vmware/tag_vm
• auxiliary/gather/android_object_tag_webview_uxss
• encoder/ppc/longxor_tag
• encoder/sparc/longxor_tag
• exploit/irix/lpd/tagprinter_exec
• payload/bsd/x86/shell/find_tag
• payload/bsd/x86/shell_find_tag
• payload/cmd/windows/powershell/custom/find_tag
• payload/cmd/windows/powershell/dllinject/find_tag
• payload/cmd/windows/powershell/meterpreter/find_tag
• payload/cmd/windows/powershell/patchupdllinject/find_tag
• payload/cmd/windows/powershell/patchupmeterpreter/find_tag
• payload/cmd/windows/powershell/peinject/find_tag
• payload/cmd/windows/powershell/shell/find_tag
• payload/cmd/windows/powershell/upexec/find_tag
• payload/cmd/windows/powershell/vncinject/find_tag
• payload/linux/x86/meterpreter/find_tag
• payload/linux/x86/shell/find_tag
• payload/linux/x86/shell_find_tag
• payload/osx/ppc/shell/find_tag
• payload/osx/x64/shell_find_tag
• payload/windows/custom/find_tag
• payload/windows/dllinject/find_tag
• payload/windows/meterpreter/find_tag
• payload/windows/patchupdllinject/find_tag
• payload/windows/patchupmeterpreter/find_tag
• payload/windows/peinject/find_tag
• payload/windows/shell/find_tag
• payload/windows/upexec/find_tag
• payload/windows/vncinject/find_tag
• exploit/android/browser/stagefright_mp4_tx3g_64bit
• exploit/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter
• exploit/windows/fileformat/aol_desktop_linktag
• exploit/windows/http/kentico_staging_syncserver
• exploit/windows/misc/enterasys_netsight_syslog_bof

Authors

---

hdm

Version

---

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.