Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: lnx4958.htm

stunnel format string vulnerability
28th Dec 2001 [SBWID-4958]

	stunnel format string vulnerability


	stunnel afther 3.15 up to 3.21c


	Matthias Lange reported on stunnel mailing list :

	In  some  occasions,  fdprintf  is  used  without  a  format  parameter.
	Fortunately,  the  errors  are  only  in  the  smtp  and   pop3   client
	implementations, so \"ordinary\" servers are not affected.

	Exploit configuration :

	Acting as a mail server:

	$ netcat -p 252525 -l



	Acting as a mail client:

	$ stunnel -c -n smtp -r localhost:252525



	When the connection is established, I send a string like
	 \"%s%s%s%s%s%s%s%s%s%s%s%s\" from the netcat to the stunnel.


	Then the stunnel performs:  fdprintf(c->local_wfd,\"%s%s%s%s...\") 

	prints out a lot of garbage, possibly with a segmentation fault.

	Brian Hatch <> explained :

	If you use Stunnel  with  the  \'-n  smtp\',  \'-n  pop\',  \'-n  nntp\'
	options in client mode (\'-c\'),  a  malicous  server  could  abuse  the
	format string bug to run arbitrary code as  the  owner  of  the  Stunnel


	There is no vulnerability unless you are invoking Stunnel with the  \'-n
	smtp\', \'-n pop\', or \'-n nntp\' options in client mode. There are  no
	format string bugs in Stunnel when run as an SSL server.


	Upgrade to Stunnel-3.22, which is not vulnerable to these bugs


	Apply the following patch to your version of Stunnel and recompile:



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH