What Is Log Injection?
Log Injection, also known as Log Forgery, describes a vulnerability arising from any scenario in which un-trusted input is allowed to pollute or compromise the integrity of application or system log files.
It is typically there result of the failure to prevent maliciously crafted input intended to mislead monitors and SIEM (Security Information and Event Management) systems from appearing in log files.
Log File Integrity
Log files are the way that applications, services, and the OS (Operating System) itself record events and create an historical archive of activities that have occurred. Every application typically generates a log file which (ideally) allows for the reconstruction of events in the case of problems.
In addition to providing insight into the sequence of events leading up to a problem, log files are now often fed into SIEM systems that look for patterns of problematic or suspicious behavior, and then potentially generate alerts to proactively warn administrators and security personnel. The integrity of the information in the logs is assumed to be accurate and log file content is typically trusted.
This trust is misplaced if untrusted input provided to an application can appear without filtering in the application’s log files. This is because content can be maliciously crafted within the log file(s) to make it appear that a problem is occurring when it is not, and/or can be used to obscure a problem or an attack.
Log Injection: Example
Consider an application that logs failed login attempts and triggers an alert after some fixed number of failed attempts by with the same login id. This might be used to detect brute-force attacks on the application and pro-actively alert administrators. Further suppose that the SIEM system has been configured to generate an alert if 10 entries such as the following appear with the log for the same login id within one (1) minute:
Sep 11:2018:01:07:13: ApplicationName:Failed Login, Id=admin
The monitor would be reset if a successful login event occurs before reaching the alert threshold.
The solution makes sense as long as the integrity of the log file is maintained. However, an attacker who can add arbitrary content to the log file might attempt to login with an Id value designed to forge a log entry:
foo\r\nSep 11:2018:01:07:13: ApplicationName:Successful Login, Id=admin
If the application does not validate the incoming login id value, and subsequently logs it as shown above, the resulting log file would appear to contain TWO (2) entries, the first unsuccessful and the second successful:
Sep 11:2018:01:07:13: ApplicationName:Failed Login, Id=foo Sep 11:2018:01:07:13: ApplicationName:Successful Login, Id=admin
The latter line is a forged record that will reset the monitor on failed login attempts for the ‘admin’ account and prevent the intended alerts from being generated.
For additional information, a classic treatment of the topic can be found here,
For insight into how to detect Log Injection vulnerabilities, please see the article entitled “How To Test for Log Injection“.
For insight into how to avoid or fix LDAP Injection vulnerabilities, please see the article entitled “How To Prevent Log Injection“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.