===================================================================== CERT-Renater Note d'Information No. 2004/VULN473 _____________________________________________________________________ DATE : 04/11/2004 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running socat versions prior to 1.4.0.3. ====================================================================== - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200410-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: socat: Format string vulnerability Date: October 25, 2004 Bugs: #68547 ID: 200410-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== socat contains a format string vulnerability that can potentially lead to remote or local execution of arbitrary code with the privileges of the socat process. Background ========== socat is a multipurpose bidirectional relay, similar to netcat. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/socat < 1.4.0.3 >= 1.4.0.3 Description =========== socat contains a syslog() based format string vulnerablility in the '_msg()' function of 'error.c'. Exploitation of this bug is only possible when socat is run with the '-ly' option, causing it to log messages to syslog. Impact ====== Remote exploitation is possible when socat is used as a HTTP proxy client and connects to a malicious server. Local privilege escalation can be achieved when socat listens on a UNIX domain socket. Potential execution of arbitrary code with the privileges of the socat process is possible with both local and remote exploitations. Workaround ========== Disable logging to syslog by not using the '-ly' option when starting socat. Resolution ========== All socat users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/socat-1.4.0.3" References ========== [ 1 ] socat Security Advisory http://www.dest-unreach.org/socat/advisory/socat-adv-1.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200410-26.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================