CVE-2003-1066

Step 1: Payload Delivery: The attacker crafts a UDP packet containing a syslog message that exceeds the internal buffer size allocated by syslogd. This packet is sent to the UDP port used by syslogd (typically port 514). Step 2: Packet Reception: The syslogd daemon receives the oversized UDP packet. Step 3: Buffer Overflow: The syslogd attempts to process the message. Due to the lack of bounds checking, the oversized message is copied into a fixed-size buffer. This write operation overflows the buffer, overwriting adjacent memory locations. Step 4: Crash/Code Execution: The memory corruption caused by the overflow leads to either a crash of the syslogd process (denial of service) or, if the attacker can control the overflow, execution of arbitrary code.

The vulnerability lies within the Solaris syslog daemon (syslogd) when handling UDP packets. Specifically, the daemon fails to properly validate the size of incoming syslog messages. A crafted UDP packet exceeding the allocated buffer size for message processing overwrites adjacent memory regions. This buffer overflow corrupts critical data structures, leading to a crash of the syslogd process (denial of service). In some cases, depending on the memory layout and the attacker's ability to control the overflow, it could lead to arbitrary code execution. The root cause is a lack of bounds checking on the size of the incoming syslog message before it is copied into a fixed-size buffer. This allows an attacker to write beyond the allocated memory, leading to memory corruption.