Vulnerabilities > CVE-2009-3051 - Use of Externally-Controlled Format String vulnerability in Silcnet Silc Client and Silc Toolkit
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4E306850811F11DE8A67000C29A67389.NASL description SILC changelog reports : An unspecified format string vulnerability exists in silc-client. last seen 2020-06-01 modified 2020-06-02 plugin id 40486 published 2009-08-05 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40486 title FreeBSD : silc-client -- Format string vulnerability (4e306850-811f-11de-8a67-000c29a67389) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(40486); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2009-3051"); script_name(english:"FreeBSD : silc-client -- Format string vulnerability (4e306850-811f-11de-8a67-000c29a67389)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "SILC changelog reports : An unspecified format string vulnerability exists in silc-client." ); # http://silcnet.org/docs/changelog/SILC%20Client%201.1.8 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f8bad6b9" ); # https://vuxml.freebsd.org/freebsd/4e306850-811f-11de-8a67-000c29a67389.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?45ba11e0" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:silc-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:silc-irssi-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"silc-client<1.1.8")) flag++; if (pkg_test(save_report:TRUE, pkg:"silc-irssi-client<1.1.8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_24AA99709CCD11DEAF10000C29A67389.NASL description SILC Changlog reports : An unspecified format string vulnerability exists in silc-toolkit. last seen 2020-06-01 modified 2020-06-02 plugin id 40899 published 2009-09-09 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40899 title FreeBSD : silc-toolkit -- Format string vulnerabilities (24aa9970-9ccd-11de-af10-000c29a67389) NASL family SuSE Local Security Checks NASL id SUSE_SILC-TOOLKIT-6479.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 42033 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42033 title openSUSE 10 Security Update : silc-toolkit (silc-toolkit-6479) NASL family SuSE Local Security Checks NASL id SUSE_11_SILC-TOOLKIT-090908.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051 / CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 41453 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41453 title SuSE 11 Security Update : silc-toolkit (SAT Patch Number 1282) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201006-07.NASL description The remote host is affected by the vulnerability described in GLSA-201006-07 (SILC: Multiple vulnerabilities) Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client. For further information please consult the CVE entries referenced below. Impact : A remote attacker could overwrite stack locations and possibly execute arbitrary code via a crafted OID value, Content-Length header or format string specifiers in a nickname field or channel name. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 46774 published 2010-06-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46774 title GLSA-201006-07 : SILC: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_1_SILC-TOOLKIT-090908.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 41005 published 2009-09-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41005 title openSUSE Security Update : silc-toolkit (silc-toolkit-1280) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-235.NASL description Multiple vulnerabilities was discovered and corrected in silc-toolkit : Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 48152 published 2010-07-30 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/48152 title Mandriva Linux Security Advisory : silc-toolkit (MDVSA-2009:235) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1879.NASL description Several vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7159 An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. - CVE-2009-3051 Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. - CVE-2008-7160 An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. silc-server doesn last seen 2020-06-01 modified 2020-06-02 plugin id 44744 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44744 title Debian DSA-1879-1 : silc-client/silc-toolkit - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_0_SILC-TOOLKIT-090908.NASL description This update of slic-toolkit fixes stack-based overflow while encoding a ASN.1 OID (CVE-2008-7159) and several format string bugs (CVE-2009-3051, CVE-2008-7160). The probability to exploit this issues to execute arbitrary code is high. last seen 2020-06-01 modified 2020-06-02 plugin id 41003 published 2009-09-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41003 title openSUSE Security Update : silc-toolkit (silc-toolkit-1280) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-234.NASL description Multiple vulnerabilities was discovered and corrected in silc-toolkit : Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. Update : Packages for MES5 was not provided previousely, this update addresses this problem. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 40997 published 2009-09-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40997 title Mandriva Linux Security Advisory : silc-toolkit (MDVSA-2009:234-2)
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-09-11 |
| organization | Red Hat |
| statement | Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. |
References
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://secunia.com/advisories/36134
- http://secunia.com/advisories/36134
- http://secunia.com/advisories/36614
- http://secunia.com/advisories/36614
- http://silcnet.org/docs/changelog/SILC%20Client%201.1.8
- http://silcnet.org/docs/changelog/SILC%20Client%201.1.8
- http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10
- http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10
- http://silcnet.org/docs/release/SILC%20Client%201.1.8
- http://silcnet.org/docs/release/SILC%20Client%201.1.8
- http://silcnet.org/general/news/news_client.php
- http://silcnet.org/general/news/news_client.php
- http://silcnet.org/general/news/news_toolkit.php
- http://silcnet.org/general/news/news_toolkit.php
- http://www.debian.org/security/2009/dsa-1879
- http://www.debian.org/security/2009/dsa-1879
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:234
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:234
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:235
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:235
- http://www.openwall.com/lists/oss-security/2009/08/31/5
- http://www.openwall.com/lists/oss-security/2009/08/31/5
- http://www.openwall.com/lists/oss-security/2009/09/03/5
- http://www.openwall.com/lists/oss-security/2009/09/03/5
- http://www.securityfocus.com/bid/35940
- http://www.securityfocus.com/bid/35940
- http://www.vupen.com/english/advisories/2009/2150
- http://www.vupen.com/english/advisories/2009/2150