From kerry at crypt.gen.nz  Sun Nov  1 13:28:41 2009
From: kerry at crypt.gen.nz (Kerry Thompson)
Date: Sun Feb  7 21:46:50 2010
Subject: [logs] logsurfer: test config file: 
	=?iso-8859-1?Q?=B4.*=B4_-_-_-_0_exec_"/bin/echo_$0"?=
In-Reply-To: <4AE997DD.1010105@klunky.co.uk>
References: <4AE997DD.1010105@klunky.co.uk>
Message-ID: <63441.1257110903.squirrel@www.crypt.gen.nz>

J4 said:
> Dear all log analysers,
>
> 	I compiled & installed logsurfer1.5b from Source Forge.
>
> The logsurfer man page states that when I use a configuration file
> containing this line then all std in ought to be sent to std out.
> ?.*? - - - 0 exec "/bin/echo $0"
>
> Just to check that echo is there,
> # which echo
> /bin/echo
>
>
> However, this does not happen in my case:
[snip]

There's some unusual hidden characters in the config file, they show up in
the strace read():

read(3, "\302\264.*\302\264 - - - 0 exec \"/bin/echo $"..., 1023) = 35

- rewrite the config file, without those \302 and \264 chars and all
should be well.

And as a security note, you should running logsurfer as root, and don't
put log data into shell commands like the "echo $0" in the example.
Attackers can usually insert data into log entries, for example if someone
entered " ; some_evil_command" as an ssh login name then the line would
get appended to that echo command with bad results.

Kerry