Info

Disclosure

Oct 29, 2004

Discovery

Unknown

Dates

Exploit

Oct 29, 2004

Solution

Unknown

Description

proxytunnel contains a flaw that may allow a malicious proxy server to perform format string attacks. The issue is due to improper use of syslog() by the messages.c message() function. It is possible that the flaw may allow remote arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access, Local / Remote, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 1.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Jos Visser and Mark Janssen	proxytunnel	1.2.2
		1.2.1
		1.2.0
		1.1.x

References

Security Tracker: 1012072 1012073
Bugtraq ID: 11592
Secunia Advisory ID: 13081 13087
ISS X-Force ID: 17945
CVE ID: 2004-0992 (see also: NVD)
Vendor Specific Advisory URL: http://bugs.gentoo.org/show_bug.cgi?id=69379
http://security.gentoo.org/glsa/glsa-200411-07.xml
Vendor Specific News/Changelog Entry: http://proxytunnel.sourceforge.net/
http://sourceforge.net/project/shownotes.php?release_id=279764

Credit

Florian Schilhabel - florian.schilhabelgmx.net -

Direct URL: http://osvdb.org/11390

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Jos Visser and Mark Janssen

proxytunnel

References

Credit