Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: zillion (zillionsnosoft.com)
Date: Tue Jun 04 2002 - 11:45:33 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1011)

    Topic : Slurp news retriever remote format string vulnerability
    Date : June 04, 2002
    Credit : zillion[at]safemode.org
    Site : http://www.snosoft.com


    .: Description:

     Slurp is an advanced passive NNTP client for UNIX. It will connect to
     a remote NNTP server and retrieve articles in a specified set of Usenet
     newsgroups that have arrived after a particular date (typically the
     last time it was invoked) for processing by your local news system or
     forwarding on via UUCP to another news system. It replaces nntpxfer
     from the NNTP 1.5.12 reference implementation and nntpget from the INN

     This application insecurely syslogs error messages retrieved from the
     NNTP server to which it is connected. The responsible code that causes
     this security issue:

     log_doit (int sysflag, const char *fmt, va_list ap)

            ...snip snip...

     #ifdef SYSLOG
                    if (!debug_flag)
                            syslog (LOG_ERR, buf);
            ...snip snip...


     The FreeBSD port of this application was compiled with syslog and is
     therefor affected. This format string can easily be triggered. To find
     out you have a vulnerable slurp, connect to this:

     perl -e 'print "200 Hello brother \n666 %x%x%x\n'" | nc -l -p 119

     Then check /var/log/messages for something like:

     Jun 5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error:
     got '666 bfbff4f8804bc1bbfbff51c'

    .: Impact:
     Malicious server owners can use this vulnerability to execute code
     on affected systems.

    .: Systems Affected:

     Systems running slurp version 1.1.0 are known to be affected by this