Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam™ in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	Remote Format String Vulnerability in Tanne 8 Jan. 2003    Summary Tanne is a small, secure session-management solution for HTTP. It replaces common sessions with a system consisting of PIN and TANs, well known from online banking. Its main purpose is to enable programmers of Web applications to have really secured sessions without cookies or session-ids. A vulnerability in the product allows remote attackers to cause the program to execute arbitrary code, by exploiting a format string vulnerability.   Credit: The information has been provided by dong-h0un yoU.    Details Audit your web server for security holes - see what the hackers see. Sign up for a scan today - risk free! Vulnerable systems:  * Tanne version 0.6.17 Vulnerable code: There is logger() function to 29 lines of 'netzio.c' code.     __     59          else     60          {     61                  va_start( args, str );     62                  vsnprintf( txt, 511, str, args );     63                  va_end( args );     64                  openlog( "Tanne2", LOG_PID, LOG_DAEMON );     65                  syslog( LOG_INFO, txt ); // Here.     66                  closelog();     67          }     68          umask( NORMALE_UMASK );     69  #else     70          va_start( args, str );     71          vsnprintf( txt, 511, str, args );     72          va_end( args );     73          openlog( "Tanne2", LOG_PID, LOG_DAEMON );     74          syslog( LOG_INFO, txt ); // Here.     75          closelog();     76  #endif     77  }     -- Patch: --- netzio.c Wed Jul 25 22:17:29 2001 +++ netzio.patch.c Sun Jan 5 11:18:31 2003 @@ -62,7 +62,7 @@   vsnprintf( txt, 511, str, args );   va_end( args );   openlog( "Tanne2", LOG_PID, LOG_DAEMON ); - syslog( LOG_INFO, txt ); + syslog( LOG_INFO, "%s", txt );   closelog();   }   umask( NORMALE_UMASK ); @@ -71,7 +71,7 @@   vsnprintf( txt, 511, str, args );   va_end( args );   openlog( "Tanne2", LOG_PID, LOG_DAEMON ); - syslog( LOG_INFO, txt ); + syslog( LOG_INFO, "%s", txt );   closelog();  #endif  }  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Calendarix Basic Two SQL Injection Vulnerabilities Multiple Heap Overflows in Xine-Lib OpenLDAP BER Decoding Remote DoS Vulnerability Vim Netrw FTP User Name and Password Disclosure Solaris snoop SMB Multiple Vulnerabilities Libxslt Heap-Based Buffer Overflow Apache Tomcat XSS Vulnerability Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability Ingres Database for Linux Multiple Vulnerabilities SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability Asterisk IAX 'POKE' Resource Exhaustion EMC Centera Universal Access SQL Injection Oracle Database Local Untrusted Library Path Vulnerability (Technical Details) Oracle Database Local Untrusted Library Path Vulnerability Novell eDirectory LDAP Search Request Heap Corruption Vulnerability  Featured Articles Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass (MS08-043) MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface Sun xVM VirtualBox Privilege Escalation Vulnerability Vulnerabilities in DNS Allows Spoofing (MS08-037) Vulnerabilities in Microsoft SQL Server Allows Elevation of Privilege (MS08-040) Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks libpoppler Uninitialized Pointer
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®