Vulnerabilities > CVE-2005-3656 - Use of Externally-Controlled Format String vulnerability in Guiseppe Tanzilli and Matthias Eckermann MOD Auth Pgsql 0.9.5/0.9.6
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple format string vulnerabilities in logging functions in mod_auth_pgsql before 2.0.3, when used for user authentication against a PostgreSQL database, allows remote unauthenticated attackers to execute arbitrary code, as demonstrated via the username.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0164.NASL description Updated mod_auth_pgsql packages that fix format string security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 21887 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21887 title CentOS 3 / 4 : mod_auth_pgsql (CESA-2006:0164) NASL family Fedora Local Security Checks NASL id FEDORA_2006-015.NASL description Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 20405 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20405 title Fedora Core 4 : mod_auth_pgsql-2.0.1-8.1 (2006-015) NASL family Fedora Local Security Checks NASL id FEDORA_2006-014.NASL description Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 20404 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20404 title Fedora Core 3 : mod_auth_pgsql-2.0.1-6.2 (2006-014) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200601-05.NASL description The remote host is affected by the vulnerability described in GLSA-200601-05 (mod_auth_pgsql: Multiple format string vulnerabilities) The error logging functions of mod_auth_pgsql fail to validate certain strings before passing them to syslog, resulting in format string vulnerabilities. Impact : An unauthenticated remote attacker could exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Apache2 server by sending specially crafted login names. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 20415 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20415 title GLSA-200601-05 : mod_auth_pgsql: Multiple format string vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-935.NASL description iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a library used to authenticate web users against a PostgreSQL database, could be used to execute arbitrary code with the privileges of the httpd user. last seen 2020-06-01 modified 2020-06-02 plugin id 22801 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22801 title Debian DSA-935-1 : libapache2-mod-auth-pgsql - format string vulnerability NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-239-1.NASL description Several format string vulnerabilities were discovered in the error logging handling. By sending specially crafted user names, an unauthenticated remote attacker could exploit this to crash the Apache server or possibly even execute arbitrary code with the privileges of Apache (user last seen 2020-06-01 modified 2020-06-02 plugin id 20786 published 2006-01-21 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20786 title Ubuntu 4.10 / 5.04 / 5.10 : libapache2-mod-auth-pgsql vulnerability (USN-239-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0164.NASL description Updated mod_auth_pgsql packages that fix format string security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 20399 published 2006-01-11 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20399 title RHEL 3 / 4 : mod_auth_pgsql (RHSA-2006:0164) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-009.NASL description iDefense discovered several format string vulnerabilities in the way that mod_auth_pgsql logs information which could potentially be used by a remote attacker to execute arbitrary code as the apache user if mod_auth_pgsql is used for user authentication. The provided packages have been patched to prevent this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 20475 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20475 title Mandrake Linux Security Advisory : apache2-mod_auth_pgsql (MDKSA-2006:009)
Oval
| accepted | 2013-04-29T04:07:00.009-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Multiple format string vulnerabilities in logging functions in mod_auth_pgsql before 2.0.3, when used for user authentication against a PostgreSQL database, allows remote unauthenticated attackers to execute arbitrary code, as demonstrated via the username. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10600 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Multiple format string vulnerabilities in logging functions in mod_auth_pgsql before 2.0.3, when used for user authentication against a PostgreSQL database, allows remote unauthenticated attackers to execute arbitrary code, as demonstrated via the username. | ||||||||||||||||||||
| version | 25 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.redhat.com/support/errata/RHSA-2006-0164.html
- http://www.securityfocus.com/bid/16153
- http://secunia.com/advisories/18304
- http://secunia.com/advisories/18321
- http://www.idefense.com/intelligence/vulnerabilities/display.php?id=367
- http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00016.html
- http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00015.html
- http://securitytracker.com/id?1015446
- http://secunia.com/advisories/18348
- http://secunia.com/advisories/18347
- http://secunia.com/advisories/18350
- http://www.debian.de/security/2006/dsa-935
- http://www.gentoo.org/security/en/glsa/glsa-200601-05.xml
- http://secunia.com/advisories/18397
- http://secunia.com/advisories/18403
- ftp://patches.sgi.com/support/free/security/advisories/20060101-01-U
- http://secunia.com/advisories/18517
- http://www.trustix.org/errata/2006/0002/
- http://secunia.com/advisories/18463
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:009
- http://www.vupen.com/english/advisories/2006/0070
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10600
- https://usn.ubuntu.com/239-1/
- http://www.giuseppetanzilli.it/mod_auth_pgsql2/