Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5407.htm

Slurp news retriever remote format string vulnerability
5th Jun 2002 [SBWID-5407]

	Slurp news retriever remote format string vulnerability


	version 1.1.0


	zillion[at] [] found following.

	Slurp is an advanced passive NNTP client for UNIX. It will connect to  a
	remote NNTP server and retrieve articles in a specified  set  of  Usenet
	newsgroups that have arrived after  a  particular  date  (typically  the
	last time it was invoked) for processing by your local  news  system  or
	forwarding on via UUCP to another  news  system.  It  replaces  nntpxfer
	from the NNTP 1.5.12 reference implementation and nntpget from  the  INN

	This application insecurely syslogs error messages  retrieved  from  the
	NNTP server to which it is connected. The responsible code  that  causes
	this security issue:


	 log_doit (int sysflag, const char *fmt, va_list ap)



	        ...snip snip...


	 #ifdef SYSLOG

	                if (!debug_flag)

	                        syslog (LOG_ERR, buf);

	        ...snip snip...





	The FreeBSD port of this application was compiled  with  syslog  and  is
	therefor affected. This format string can easily be triggered.  To  find
	out you have a vulnerable slurp, connect to this:


	 perl -e \'print \"200 Hello brother \\n666 %x%x%x\\n\'\" | nc -l -p 119



	Then check /var/log/messages for something like:


	 Jun  5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error:

	 got \'666 bfbff4f8804bc1bbfbff51c\'







	Malicious server owners can use this vulnerability to  execute  code  on
	affected systems.


	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH