[原文]Format string vulnerability in the my_xlog function in lib.c for Oops! Proxy Server 1.5.23 and earlier, as called by the auth functions in the passwd_mysql and passwd_pgsql modules, may allow attackers to execute arbitrary code via a URL.
Gentoo Linux Security Advisory GLSA 200505-02 - A format string flaw has been detected in the my_xlog() function of the Oops! proxy, which is called by the passwd_mysql and passwd_pgsql module's auth() functions. Versions less than 1.5.24_pre20050503 are affected.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200505-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oops!: Remote code execution
Date: May 05, 2005
Bugs: #91303
ID: 200505-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
The Oops! proxy server contains a remotely exploitable format string
vulnerability, which could potentially lead to the execution of
arbitrary code.
Background
==========
Oops! is an advanced, multithreaded caching web proxy.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-proxy/oops < 1.5.24_pre20050503 >= 1.5.24_pre20050503
Description
===========
A format string flaw has been detected in the my_xlog() function of the
Oops! proxy, which is called by the passwd_mysql and passwd_pgsql
module's auth() functions.
Impact
======
A remote attacker could send a specially crafted HTTP request to the
Oops! proxy, potentially triggering this vulnerability and leading to
the execution of arbitrary code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oops! users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/oops-1.5.24_pre20050503"
References
==========
[ 1 ] CAN-2005-1121
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1121
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200505-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Remote / Network Access,
Local / Remote,
Context Dependent
Denial of Service,
Input Manipulation
Loss of Integrity,
Loss of Availability
Exploit Public
-
漏洞描述
A remote overflow exists in Oops! proxy server. The proxy server fails to properly format log messages resulting in a format string overflow. With a specially crafted request, an attacker can cause the server to crash resulting in a loss of availability.
-
时间线
2005-04-14
Unknow
2005-04-14
Unknow
-
解决方案
Gentoo users should upgrade to version 1.5.24_pre20050503 or higher, as it has been reported to fix this vulnerability.
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/oops-1.5.24_pre20050503"
Other users may upgrade to the current version in CVS from the vendor's web site or apply the vendor-provided patch.
Discovery of this issue is credited to GHC team <foster@ghc.ru>.
-
受影响的程序版本
Igor Khasilev Oops Proxy Server 1.5.53
Igor Khasilev Oops Proxy Server 1.5.19
+
Debian Linux 3.0 sparc
+
Debian Linux 3.0 s/390
+
Debian Linux 3.0 ppc
+
Debian Linux 3.0 mipsel
+
Debian Linux 3.0 mips
+
Debian Linux 3.0 m68k
+
Debian Linux 3.0 ia-64
+
Debian Linux 3.0 ia-32
+
Debian Linux 3.0 hppa
+
Debian Linux 3.0 arm
+
Debian Linux 3.0 alpha
+
Debian Linux 3.0
Igor Khasilev Oops Proxy Server 1.4.22
-
Debian Linux 2.3
-
FreeBSD FreeBSD 4.2
-
FreeBSD FreeBSD 3.5.1
-
Mandriva Linux Mandrake 7.2
-
RedHat Linux 7.0
-
S.u.S.E. Linux 7.0
-
Sun Solaris 8_sparc
Gentoo Linux
-
漏洞讨论
Oops! Proxy Server is prone to a remote format string vulnerability. This issue presents itself because the application fails to properly sanitize user-supplied input prior to passing it as the format specifier to a formatted printing function.
A successful attack may result in crashing the server or lead to arbitrary code execution. This may facilitate unauthorized access or privilege escalation in the context the server.
Oops! versions prior to and including version 1.5.53 are reported prone to this issue.
-
漏洞利用
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.
-
解决方案
Gentoo has released an advisory (GLSA 200505-02) and an updated eBuild to address this issue. Gentoo users may apply updates by issuing the following series of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=net-proxy/oops-1.5.24_pre20050503"
Debian has released advisory DSA 726-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.
设计是一个发现问题,而不是发现解决方案的过程。