Stunnel Local Arbitrary Command Execution Vulnerability
BID:2128
Info
Stunnel Local Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2128 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 18 2000 12:00AM |
| Updated: | Dec 18 2000 12:00AM |
| Credit: | reported to bugtraq by Megyer Ur <[email protected]> on Mon, 18 Dec 2000. |
| Vulnerable: |
Stunnel Stunnel 3.8 Stunnel Stunnel 3.7 Stunnel Stunnel 3.4 a Stunnel Stunnel 3.3 |
| Not Vulnerable: |
Stunnel Stunnel 3.9 |
Discussion
Stunnel Local Arbitrary Command Execution Vulnerability
Stunnel is an SSL encryption wrapper by Michal Trojnara. It is available for a number of platforms including FreeBSD, Debian Linux and RedHat Linux.
Insecurely-structured calls to syslog() found in certain versions of Stunnel (prior to version 3.9) pass user-supplied data to the syslog() function in such a way that maliciously embedded format specifiers in this data can cause the process to overwrite sections of its own memory with arbitrary data.
This user-supplied data is obtained from an identd server of a connecting host. If an attacker controls an ident server, an arbitrary username value containing malicious format specifiers can be sent to Stunnel.
This string would then be passed as part of the format string for the syslog() function, where the format specifiers would be interpreted.
This can lead to remote access being gained by the attacker on the target host with privileges of Stunnel, which can be required to run as root.
Stunnel is an SSL encryption wrapper by Michal Trojnara. It is available for a number of platforms including FreeBSD, Debian Linux and RedHat Linux.
Insecurely-structured calls to syslog() found in certain versions of Stunnel (prior to version 3.9) pass user-supplied data to the syslog() function in such a way that maliciously embedded format specifiers in this data can cause the process to overwrite sections of its own memory with arbitrary data.
This user-supplied data is obtained from an identd server of a connecting host. If an attacker controls an ident server, an arbitrary username value containing malicious format specifiers can be sent to Stunnel.
This string would then be passed as part of the format string for the syslog() function, where the format specifiers would be interpreted.
This can lead to remote access being gained by the attacker on the target host with privileges of Stunnel, which can be required to run as root.
Exploit / POC
Stunnel Local Arbitrary Command Execution Vulnerability
Currently the SecurityFocus staff are not aware of any publicly available exploits for this vulnerability. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any publicly available exploits for this vulnerability. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Stunnel Local Arbitrary Command Execution Vulnerability
Solution:
The stunnel program author, Michal Trojnara, has released a vixed version (3.9), which is available from:
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
stunnel may also be hotfixed.
see log.c, ~line 67:
- syslog(level, text);
+ syslog(level, "%s", text);
Stunnel Stunnel 3.3
Stunnel Stunnel 3.4 a
Stunnel Stunnel 3.7
Stunnel Stunnel 3.8
Solution:
The stunnel program author, Michal Trojnara, has released a vixed version (3.9), which is available from:
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
stunnel may also be hotfixed.
see log.c, ~line 67:
- syslog(level, text);
+ syslog(level, "%s", text);
Stunnel Stunnel 3.3
-
Michal Trojnara stunnel-3.9
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
Stunnel Stunnel 3.4 a
-
Michal Trojnara stunnel-3.9
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
Stunnel Stunnel 3.7
-
Debian 2.2 alpha stunnel_3.10-0potato1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/stun nel_3.10-0potato1_alpha.deb -
Debian 2.2 i386 stunnel_3.10-0potato1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/stunn el_3.10-0potato1_i386.deb -
Debian 2.2 m68k stunnel_3.10-0potato1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/stunn el_3.10-0potato1_m68k.deb -
Debian 2.2 sparc stunnel_3.10-0potato1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/stun nel_3.10-0potato1_sparc.deb -
Michal Trojnara stunnel-3.9
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
Stunnel Stunnel 3.8
-
Conectiva 4.0 i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/stunnel-3.10-1cl.i386.rpm -
Conectiva 4.0es i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/stunnel-3.10-1cl.i386.r pm -
Conectiva 4.1 i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/stunnel-3.10-1cl.i386.rpm -
Conectiva 4.2 i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/stunnel-3.10-1cl.i386.rpm -
Conectiva 5.0 i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/stunnel-3.10-1cl.i386.rpm -
Conectiva 5.1 i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/stunnel-3.10-1cl.i386.rpm -
Conectiva 6.0 i386 stunnel-3.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/stunnel-3.10-1cl.i386.rpm -
EnGarde Secure Linux 1.0.1 i386 stunnel-3.22-1.0.4.i386.rpm
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/stunnel-3.2 2-1.0.4.i386.rpm -
EnGarde Secure Linux 1.0.1 i686 stunnel-3.22-1.0.4.i686.rpm
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/stunnel-3.2 2-1.0.4.i686.rpm -
Michal Trojnara stunnel-3.9
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
References
Stunnel Local Arbitrary Command Execution Vulnerability
References:
References: