TUCoPS :: Unix :: General
:: unix5407.htm
Slurp news retriever remote format string vulnerability
5th Jun 2002 [SBWID-5407]
COMMAND
Slurp news retriever remote format string vulnerability
SYSTEMS AFFECTED
version 1.1.0
PROBLEM
zillion[at]safemode.org [http://www.snosoft.com] found following.
Slurp is an advanced passive NNTP client for UNIX. It will connect to a
remote NNTP server and retrieve articles in a specified set of Usenet
newsgroups that have arrived after a particular date (typically the
last time it was invoked) for processing by your local news system or
forwarding on via UUCP to another news system. It replaces nntpxfer
from the NNTP 1.5.12 reference implementation and nntpget from the INN
distribution.
This application insecurely syslogs error messages retrieved from the
NNTP server to which it is connected. The responsible code that causes
this security issue:
log_doit (int sysflag, const char *fmt, va_list ap)
{
...snip snip...
#ifdef SYSLOG
if (!debug_flag)
syslog (LOG_ERR, buf);
...snip snip...
}
The FreeBSD port of this application was compiled with syslog and is
therefor affected. This format string can easily be triggered. To find
out you have a vulnerable slurp, connect to this:
perl -e \'print \"200 Hello brother \\n666 %x%x%x\\n\'\" | nc -l -p 119
Then check /var/log/messages for something like:
Jun 5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error:
got \'666 bfbff4f8804bc1bbfbff51c\'
Impact
======
Malicious server owners can use this vulnerability to execute code on
affected systems.
SOLUTION
Nothing yet.