Vulnerabilities > CVE-2008-7160 - Use of Externally-Controlled Format String vulnerability in Silcnet Silc Toolkit
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2009-9356.NASL description - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-7 - Backport patch to fix stack corruption (CVE-2008-7160) (#521256) - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-6 - Backport patch to fix additional string format vulnerabilities (#515648) - Wed Aug 5 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-5 - Backport patch to fix string format vulnerability (#515648) - Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Tue Dec 23 2008 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-2 - Fix building with libtool 2.2 - Wed Dec 3 2008 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-1 - Update to 1.1.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40909 published 2009-09-10 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40909 title Fedora 10 : libsilc-1.1.8-7.fc10 (2009-9356) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-9356. # include("compat.inc"); if (description) { script_id(40909); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2008-7160"); script_bugtraq_id(36194); script_xref(name:"FEDORA", value:"2009-9356"); script_name(english:"Fedora 10 : libsilc-1.1.8-7.fc10 (2009-9356)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-7 - Backport patch to fix stack corruption (CVE-2008-7160) (#521256) - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-6 - Backport patch to fix additional string format vulnerabilities (#515648) - Wed Aug 5 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-5 - Backport patch to fix string format vulnerability (#515648) - Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Tue Dec 23 2008 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-2 - Fix building with libtool 2.2 - Wed Dec 3 2008 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-1 - Update to 1.1.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=515648" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=521256" ); script_set_attribute( attribute:"see_also", value:"https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild" ); script_set_attribute( attribute:"see_also", value:"https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-September/028935.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fc5a92c7" ); script_set_attribute( attribute:"solution", value:"Update the affected libsilc package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libsilc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"libsilc-1.1.8-7.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libsilc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SILC-TOOLKIT-6479.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 42033 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42033 title openSUSE 10 Security Update : silc-toolkit (silc-toolkit-6479) NASL family Fedora Local Security Checks NASL id FEDORA_2009-9342.NASL description - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-7 - Backport patch to fix stack corruption (CVE-2008-7160) (#521256) - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-6 - Backport patch to fix additional string format vulnerabilities (#515648) - Wed Aug 5 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-5 - Backport patch to fix string format vulnerability (#515648) - Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40908 published 2009-09-10 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40908 title Fedora 11 : libsilc-1.1.8-7.fc11 (2009-9342) NASL family SuSE Local Security Checks NASL id SUSE_11_SILC-TOOLKIT-090908.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051 / CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 41453 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41453 title SuSE 11 Security Update : silc-toolkit (SAT Patch Number 1282) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201006-07.NASL description The remote host is affected by the vulnerability described in GLSA-201006-07 (SILC: Multiple vulnerabilities) Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client. For further information please consult the CVE entries referenced below. Impact : A remote attacker could overwrite stack locations and possibly execute arbitrary code via a crafted OID value, Content-Length header or format string specifiers in a nickname field or channel name. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 46774 published 2010-06-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46774 title GLSA-201006-07 : SILC: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_1_SILC-TOOLKIT-090908.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 41005 published 2009-09-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41005 title openSUSE Security Update : silc-toolkit (silc-toolkit-1280) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1879.NASL description Several vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7159 An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. - CVE-2009-3051 Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. - CVE-2008-7160 An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. silc-server doesn last seen 2020-06-01 modified 2020-06-02 plugin id 44744 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44744 title Debian DSA-1879-1 : silc-client/silc-toolkit - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_0_SILC-TOOLKIT-090908.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 41003 published 2009-09-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41003 title openSUSE Security Update : silc-toolkit (silc-toolkit-1280) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-234.NASL description Multiple vulnerabilities was discovered and corrected in silc-toolkit : Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. Update : Packages for MES5 was not provided previousely, this update addresses this problem. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 40997 published 2009-09-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40997 title Mandriva Linux Security Advisory : silc-toolkit (MDVSA-2009:234-2)
Statements
contributor | Tomas Hoger |
lastmodified | 2009-09-11 |
organization | Red Hat |
statement | Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. |
References
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://secunia.com/advisories/36614
- http://secunia.com/advisories/36614
- http://secunia.com/advisories/36625
- http://secunia.com/advisories/36625
- http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.9
- http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.9
- http://silcnet.org/general/news/news_toolkit.php
- http://silcnet.org/general/news/news_toolkit.php
- http://www.debian.org/security/2009/dsa-1879
- http://www.debian.org/security/2009/dsa-1879
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:234
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:234
- http://www.openwall.com/lists/oss-security/2009/08/31/5
- http://www.openwall.com/lists/oss-security/2009/08/31/5
- http://www.openwall.com/lists/oss-security/2009/09/03/5
- http://www.openwall.com/lists/oss-security/2009/09/03/5
- http://www.securityfocus.com/bid/36194
- http://www.securityfocus.com/bid/36194