Vulnerabilities > CVE-2008-7159 - USE of Externally-Controlled Format String vulnerability in Silcnet Silc Toolkit

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
silcnet
CWE-134
nessus

Summary

The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SILC-TOOLKIT-6479.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id42033
    published2009-10-06
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42033
    titleopenSUSE 10 Security Update : silc-toolkit (silc-toolkit-6479)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_SILC-TOOLKIT-090908.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051 / CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id41453
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41453
    titleSuSE 11 Security Update : silc-toolkit (SAT Patch Number 1282)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201006-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201006-07 (SILC: Multiple vulnerabilities) Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client. For further information please consult the CVE entries referenced below. Impact : A remote attacker could overwrite stack locations and possibly execute arbitrary code via a crafted OID value, Content-Length header or format string specifiers in a nickname field or channel name. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id46774
    published2010-06-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46774
    titleGLSA-201006-07 : SILC: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_SILC-TOOLKIT-090908.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id41005
    published2009-09-17
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41005
    titleopenSUSE Security Update : silc-toolkit (silc-toolkit-1280)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1879.NASL
    descriptionSeveral vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7159 An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. - CVE-2009-3051 Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. - CVE-2008-7160 An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. silc-server doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id44744
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44744
    titleDebian DSA-1879-1 : silc-client/silc-toolkit - several vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_SILC-TOOLKIT-090908.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id41003
    published2009-09-17
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41003
    titleopenSUSE Security Update : silc-toolkit (silc-toolkit-1280)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-234.NASL
    descriptionMultiple vulnerabilities was discovered and corrected in silc-toolkit : Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. Update : Packages for MES5 was not provided previousely, this update addresses this problem. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen2020-06-01
    modified2020-06-02
    plugin id40997
    published2009-09-16
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40997
    titleMandriva Linux Security Advisory : silc-toolkit (MDVSA-2009:234-2)

Statements

contributorTomas Hoger
lastmodified2009-09-11
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5.