Vulnerabilities > CVE-2008-7160 - Use of Externally-Controlled Format String vulnerability in Silcnet Silc Toolkit

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-9356.NASL
    description - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-7 - Backport patch to fix stack corruption (CVE-2008-7160) (#521256) - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-6 - Backport patch to fix additional string format vulnerabilities (#515648) - Wed Aug 5 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-5 - Backport patch to fix string format vulnerability (#515648) - Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Tue Dec 23 2008 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-2 - Fix building with libtool 2.2 - Wed Dec 3 2008 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-1 - Update to 1.1.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id40909
    published2009-09-10
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40909
    titleFedora 10 : libsilc-1.1.8-7.fc10 (2009-9356)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2009-9356.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40909);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:30");
    
      script_cve_id("CVE-2008-7160");
      script_bugtraq_id(36194);
      script_xref(name:"FEDORA", value:"2009-9356");
    
      script_name(english:"Fedora 10 : libsilc-1.1.8-7.fc10 (2009-9356)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com>
        1.1.8-7
    
        - Backport patch to fix stack corruption (CVE-2008-7160)
          (#521256)
    
        - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com>
          1.1.8-6
    
        - Backport patch to fix additional string format
          vulnerabilities (#515648)
    
        - Wed Aug 5 2009 Stu Tomlinson <stu at nosnilmot.com>
          1.1.8-5
    
        - Backport patch to fix string format vulnerability
          (#515648)
    
        - Sat Jul 25 2009 Fedora Release Engineering <rel-eng at
          lists.fedoraproject.org> - 1.1.8-4
    
        - Rebuilt for
          https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
    
        - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at
          lists.fedoraproject.org> - 1.1.8-3
    
        - Rebuilt for
          https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
    
        - Tue Dec 23 2008 Stu Tomlinson <stu at nosnilmot.com>
          1.1.8-2
    
        - Fix building with libtool 2.2
    
        - Wed Dec 3 2008 Stu Tomlinson <stu at nosnilmot.com>
          1.1.8-1
    
        - Update to 1.1.8
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=515648"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=521256"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2009-September/028935.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?fc5a92c7"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libsilc package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(134);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libsilc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC10", reference:"libsilc-1.1.8-7.fc10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libsilc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SILC-TOOLKIT-6479.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id42033
    published2009-10-06
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42033
    titleopenSUSE 10 Security Update : silc-toolkit (silc-toolkit-6479)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-9342.NASL
    description - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-7 - Backport patch to fix stack corruption (CVE-2008-7160) (#521256) - Fri Sep 4 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-6 - Backport patch to fix additional string format vulnerabilities (#515648) - Wed Aug 5 2009 Stu Tomlinson <stu at nosnilmot.com> 1.1.8-5 - Backport patch to fix string format vulnerability (#515648) - Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.8-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id40908
    published2009-09-10
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40908
    titleFedora 11 : libsilc-1.1.8-7.fc11 (2009-9342)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_SILC-TOOLKIT-090908.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051 / CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id41453
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41453
    titleSuSE 11 Security Update : silc-toolkit (SAT Patch Number 1282)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201006-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201006-07 (SILC: Multiple vulnerabilities) Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client. For further information please consult the CVE entries referenced below. Impact : A remote attacker could overwrite stack locations and possibly execute arbitrary code via a crafted OID value, Content-Length header or format string specifiers in a nickname field or channel name. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id46774
    published2010-06-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46774
    titleGLSA-201006-07 : SILC: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_SILC-TOOLKIT-090908.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id41005
    published2009-09-17
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41005
    titleopenSUSE Security Update : silc-toolkit (silc-toolkit-1280)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1879.NASL
    descriptionSeveral vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7159 An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. - CVE-2009-3051 Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. - CVE-2008-7160 An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. silc-server doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id44744
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44744
    titleDebian DSA-1879-1 : silc-client/silc-toolkit - several vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_SILC-TOOLKIT-090908.NASL
    descriptionThis update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high.
    last seen2020-06-01
    modified2020-06-02
    plugin id41003
    published2009-09-17
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41003
    titleopenSUSE Security Update : silc-toolkit (silc-toolkit-1280)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-234.NASL
    descriptionMultiple vulnerabilities was discovered and corrected in silc-toolkit : Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. Update : Packages for MES5 was not provided previousely, this update addresses this problem. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen2020-06-01
    modified2020-06-02
    plugin id40997
    published2009-09-16
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40997
    titleMandriva Linux Security Advisory : silc-toolkit (MDVSA-2009:234-2)

Statements

contributorTomas Hoger
lastmodified2009-09-11
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5.