Vulnerabilities > CVE-2017-5613 - Use of Externally-Controlled Format String vulnerability in Cpanel Cgiecho and Cgiemail
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
| NASL family | Debian Local Security Checks |
| NASL id | DEBIAN_DLA-869.NASL |
| description | The cPanel Security Team discovered several security vulnerabilities in cgiemail, a CGI program used to create HTML forms for sending mails : CVE-2017-5613 A format string injection vulnerability allowed to supply arbitrary format strings to cgiemail and cgiecho. A local attacker with permissions to provide a cgiemail template could use this vulnerability to execute code as webserver user. Format strings in cgiemail tempaltes are now restricted to simple %s, %U and %H sequences. CVE-2017-5614 An open redirect vulnerability in cgiemail and cgiecho binaries could be exploited by a local attacker to force redirect to an arbitrary URL. These redirects are now limited to the domain that handled the request. CVE-2017-5615 A vulnerability in cgiemail and cgiecho binaries allowed injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this. CVE-2017-5616 Missing escaping of the addendum parameter lead to a reflected cross-site (XSS) vulnerability in cgiemail and cgiecho binaries. The output is now html escaped. For Debian 7 |
| last seen | 2020-03-17 |
| modified | 2017-03-27 |
| plugin id | 97964 |
| published | 2017-03-27 |
| reporter | This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/97964 |
| title | Debian DLA-869-1 : cgiemail security update |
Seebug
| bulletinFamily | exploit |
| description | > [] SEC-212 Format string injection > > The ability to supply arbitrary format strings to cgiemail and > cgiecho allowed code execution whenever a user was able to provide a > cgiemail template file. Use CVE-2017-5613. > [] SEC-214 Open redirect > > The cgiemail and cgiecho binaries served as an open redirect due to > their handling of the success and failure parameters. Use CVE-2017-5614. > [] SEC-215 HTTP header injection > > The handling of redirects in cgiemail and cgiecho did not protect > against the injection of additional HTTP headers. Use CVE-2017-5615. > [] Reflected XSS vulnerability > > The "addendum" parameter was reflected without any escaping in > success and error messages produced by cgiemail and cgiecho. Use CVE-2017-5616. |
| id | SSV:92980 |
| last seen | 2017-11-19 |
| modified | 2017-04-21 |
| published | 2017-04-21 |
| reporter | Root |
| title | cgiemail and cgiecho Multiple Security Vulnerabilities (CVE-2017-5613) |