FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

proxytunnel -- format string vulnerability

Affected packages
proxytunnel < 1.2.3

Details

VuXML ID 50744596-368f-11d9-a9e7-0001020eed82
Discovery 2004-11-01
Entry 2004-11-15

A Gentoo Linux Security Advisory reports:

Florian Schilhabel of the Gentoo Linux Security Audit project found a format string vulnerability in Proxytunnel. When the program is started in daemon mode (-a [port]), it improperly logs invalid proxy answers to syslog.

A malicious remote server could send specially-crafted invalid answers to exploit the format string vulnerability, potentially allowing the execution of arbitrary code on the tunnelling host with the rights of the Proxytunnel process.

References

CVE Name CVE-2004-0992
URL http://proxytunnel.sourceforge.net/news.html
URL http://www.gentoo.org/security/en/glsa/glsa-200411-07.xml