Vulnerabilities > CVE-2006-6772 - Use of Externally-Controlled Format String vulnerability in W3M 0.5.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Format string vulnerability in the inputAnswer function in file.c in w3m before 0.5.2, when run with the dump or backend option, allows remote attackers to execute arbitrary code via format string specifiers in the Common Name (CN) field of an SSL certificate associated with an https URL.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-399-1.NASL description A format string vulnerability was discovered in w3m. If a user were tricked into visiting an HTTPS URL protected by a specially crafted SSL certificate, an attacker could execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27987 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27987 title Ubuntu 5.10 / 6.06 LTS / 6.10 : w3m vulnerabilities (USN-399-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200701-06.NASL description The remote host is affected by the vulnerability described in GLSA-200701-06 (w3m: Format string vulnerability) w3m in -dump or -backend mode does not correctly handle printf() format string specifiers in the Common Name (CN) field of an X.509 SSL certificate. Impact : An attacker could entice a user to visit a malicious website that would load a specially crafted X.509 SSL certificate containing last seen 2020-06-01 modified 2020-06-02 plugin id 24204 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24204 title GLSA-200701-06 : w3m: Format string vulnerability NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9347D82D9A6611DBB271000E35248AD7.NASL description An anonymous person reports : w3m-0.5.1 crashes when using the -dump or -backend options to open a HTTPS URL with a SSL certificate where the CN contains last seen 2020-06-01 modified 2020-06-02 plugin id 23989 published 2007-01-08 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23989 title FreeBSD : w3m -- format string vulnerability (9347d82d-9a66-11db-b271-000e35248ad7) NASL family SuSE Local Security Checks NASL id SUSE_W3M-2439.NASL description A format string problem in w3m -dump / -backend mode could be used by a malicious server to crash w3m or execute code. (CVE-2006-6772) last seen 2020-06-01 modified 2020-06-02 plugin id 29594 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29594 title SuSE 10 Security Update : w3m (ZYPP Patch Number 2439) NASL family SuSE Local Security Checks NASL id SUSE_SA_2007_005.NASL description The remote host is missing the patch for the advisory SUSE-SA:2007:005 (w3m). A format string problem in w3m -dump / -backend mode could be used by a malicious server to crash w3m or execute code. In SUSE Linux 10.1, openSUSE 10.2 and SUSE Linux Enterprise Server and Desktop 10 this problem was not exploitable to execute code due to use of the FORTIFY SOURCE extensions. This problem is tracked by the Mitre CVE ID CVE-2006-6772. last seen 2019-10-28 modified 2007-02-18 plugin id 24459 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24459 title SUSE-SA:2007:005: w3m NASL family SuSE Local Security Checks NASL id SUSE_W3M-2433.NASL description A format string problem in w3m -dump / -backend mode could be used by a malicious server to crash w3m or execute code. (CVE-2006-6772) last seen 2020-06-01 modified 2020-06-02 plugin id 27475 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27475 title openSUSE 10 Security Update : w3m (w3m-2433) NASL family Fedora Local Security Checks NASL id FEDORA_2007-078.NASL description - Resolves: rh#221484: CVE-2006-6772 w3m is vulnerable to format string attack via CN field of SSL/TLS certificate when invoked with -dump/-backend Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24200 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24200 title Fedora Core 5 : w3m-0.5.1-15.fc5 (2007-078) NASL family SuSE Local Security Checks NASL id SUSE9_11376.NASL description A format string problem in w3m -dump / -backend mode could be used by a malicious server to crash w3m or execute code. (CVE-2006-6772) last seen 2020-06-01 modified 2020-06-02 plugin id 41111 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41111 title SuSE9 Security Update : w3m (YOU Patch Number 11376) NASL family Fedora Local Security Checks NASL id FEDORA_2007-077.NASL description - Resolves: rh#221484 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24199 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24199 title Fedora Core 6 : w3m-0.5.1-15.fc6 (2007-077)
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- http://sourceforge.net/tracker/index.php?func=detail&aid=1612792&group_id=39518&atid=425439
- http://www.securityfocus.com/bid/21735
- http://securitytracker.com/id?1017440
- http://secunia.com/advisories/23492
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051457.html
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.044.html
- http://www.ubuntu.com/usn/usn-399-1
- http://secunia.com/advisories/23588
- http://www.novell.com/linux/security/advisories/2007_05_w3m.html
- http://secunia.com/advisories/23717
- http://security.gentoo.org/glsa/glsa-200701-06.xml
- http://secunia.com/advisories/23773
- http://fedoranews.org/cms/node/2415
- http://fedoranews.org/cms/node/2416
- http://secunia.com/advisories/23792
- http://w3m.cvs.sourceforge.net/w3m/w3m/file.c?r1=1.249&r2=1.250
- http://w3m.cvs.sourceforge.net/w3m/w3m/file.c?view=log
- http://www.securityfocus.com/bid/24332
- http://www.vupen.com/english/advisories/2006/5164
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34821
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31114
- http://w3m.cvs.sourceforge.net/%2Acheckout%2A/w3m/w3m/NEWS?revision=1.79