Vulnerability Note VU#139421
simpleproxy format string vulnerability
Overview
A format string vulnerability in the simpleproxy TCP proxy may allow a remote attacker to execute arbitrary code on a vulnerable system.
Description
simpleproxy, a basic open source TCP proxy, contains a format string vulnerability in an unspecified HTTP proxy request handling routine. If a remote attacker sends simpleproxy a specially crafted HTTP request, they may be able to execute arbitrary code on a vulnerable system. |
Impact
A remote attacker may be able to execute arbitrary code with the privileges of the simpleproxy process. |
Solution
Upgrade Upgrading to simpleproxy version 3.4 corrects this problem. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Debian Linux | Affected | 02 Sep 2005 | 02 Sep 2005 |
| simpleproxy | Affected | - | 01 Sep 2005 |
| Apple Computer, Inc. | Not Affected | 02 Sep 2005 | 10 Oct 2005 |
| OpenWall Linux | Not Affected | 02 Sep 2005 | 06 Sep 2005 |
| Sun Microsystems, Inc. | Not Affected | 02 Sep 2005 | 06 Sep 2005 |
| Conectiva Inc. | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| Cray, Inc. | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| Engarde Secure Linux | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| F5 Networks, Inc. | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| FreeBSD, Inc. | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| Fujitsu Limited | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| Hewlett-Packard Company | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| Hitachi Internetworking | Unknown | 02 Sep 2005 | 02 Sep 2005 |
| IBM Corporation | Unknown | 02 Sep 2005 | 02 Sep 2005 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://secunia.com/advisories/16567/
- http://www.us.debian.org/security/2005/dsa-786
- http://sourceforge.net/projects/simpleproxy
Credit
This vulnerability was reported by Ulf Harnhammar.
This document was written by Jeff Gennari.
Other Information
- CVE IDs: CAN-2005-1857
- Date Public: 26 Aug 2005
- Date First Published: 02 Sep 2005
- Date Last Updated: 10 Oct 2005
- Severity Metric: 5.84
- Document Revision: 19
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.