Vulnerabilities > CVE-2004-2026 - Remote Format String vulnerability in APSIS Pound

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

apsis

nessus

exploit available

NVD

Published: 2004-12-31

Updated: 2017-07-11

Summary

Format string vulnerability in the logmsg function in svc.c for Pound 1.5 and earlier allows remote attackers to execute arbitrary code via format string specifiers in syslog messages.

Vulnerable Configurations

Part	Description	Count
Application	Apsis Apsis Pound 1.0 Apsis Pound 1.1 Apsis Pound 1.2 Apsis Pound 1.3 Apsis Pound 1.4 Apsis Pound 1.5	6

Exploit-Db

description	APSIS Pound 1.5 Remote Format String Vulnerability. CVE-2004-2026. Remote exploit for linux platform
id	EDB-ID:24079
last seen	2016-02-02
modified	2004-05-03
published	2004-05-03
reporter	Nilanjan De
source	https://www.exploit-db.com/download/24079/
title	APSIS Pound 1.5 - Remote Format String Vulnerability

Nessus

NASL family	Web Servers
NASL id	POUND_FORMAT_STRINGS.NASL
description	The remote server is vulnerable to a remote format string bug which can allow remote attackers to gain access to confidential data. Pound versions less than 1.6 are vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	12007
published	2004-06-15
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/12007
title	APSIS Pound Load Balancer Format String Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(12007); script_version ("1.14"); script_cvs_date("Date: 2018/07/25 18:58:06"); script_cve_id("CVE-2004-2026"); script_bugtraq_id(10267); script_name(english: "APSIS Pound Load Balancer Format String Overflow"); script_summary(english: "APSIS Pound Load Balancer Format String Overflow"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote server." ); script_set_attribute(attribute:"description", value: "The remote server is vulnerable to a remote format string bug which can allow remote attackers to gain access to confidential data. Pound versions less than 1.6 are vulnerable to this issue." ); script_set_attribute(attribute:"see_also", value:"http://www.apsis.ch/pound/" ); script_set_attribute(attribute:"solution", value: "Upgrade to at least version 1.6 of APSIS Pound." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/15"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/05/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english: "Web Servers"); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } # start script include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); r = http_send_recv3(method: "GET", port: port, item: "/%s"); if (r[0] =~ "^HTTP/1\.[01] 503 ") { r = http_send_recv3(method: "GET", port: port, item: "/%s %s %s"); # this test is classified as DESTRUCTIVE, but the service does restart # automagically. # you'll see something like this in your logs # pound: MONITOR: worker exited on signal 11, restarting... if (isnull(r)) security_hole(port); }

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200405-08.NASL
description	The remote host is affected by the vulnerability described in GLSA-200405-08 (Pound format string vulnerability) A format string flaw in the processing of syslog messages was discovered and corrected in Pound. Impact : This flaw may allow remote execution of arbitrary code with the rights of the Pound daemon process. By default, Gentoo uses the
last seen	2020-06-01
modified	2020-06-02
plugin id	14494
published	2004-08-30
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14494
title	GLSA-200405-08 : Pound format string vulnerability
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200405-08. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14494); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-2026"); script_xref(name:"GLSA", value:"200405-08"); script_name(english:"GLSA-200405-08 : Pound format string vulnerability"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200405-08 (Pound format string vulnerability) A format string flaw in the processing of syslog messages was discovered and corrected in Pound. Impact : This flaw may allow remote execution of arbitrary code with the rights of the Pound daemon process. By default, Gentoo uses the 'nobody' user to run the Pound daemon. Workaround : There is no known workaround at this time. All users are advised to upgrade to the latest available version of Pound." ); # http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000#1070234315000 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?286b7b4e" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200405-08" ); script_set_attribute( attribute:"solution", value: "All users of Pound should upgrade to the latest stable version: # emerge sync # emerge -pv '>=www-servers/pound-1.6' # emerge '>=www-servers/pound-1.6'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pound"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/pound", unaffected:make_list("ge 1.6"), vulnerable:make_list("le 1.5"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "www-servers/pound"); }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References