COMMAND

	stunnel format string vulnerability

SYSTEMS AFFECTED

	stunnel afther 3.15 up to 3.21c

PROBLEM

	Matthias Lange reported on stunnel mailing list :
	

	In  some  occasions,  fdprintf  is  used  without  a  format  parameter.
	Fortunately,  the  errors  are  only  in  the  smtp  and   pop3   client
	implementations, so \"ordinary\" servers are not affected.
	

	Exploit configuration :
	

	Acting as a mail server:
	

	$ netcat -p 252525 -l

	

	

	Acting as a mail client:
	

	$ stunnel -c -n smtp -r localhost:252525

	

	

	When the connection is established, I send a string like
	 \"%s%s%s%s%s%s%s%s%s%s%s%s\" from the netcat to the stunnel.

	

	Then the stunnel performs:  fdprintf(c->local_wfd,\"%s%s%s%s...\") 

	prints out a lot of garbage, possibly with a segmentation fault.
	

	Brian Hatch <bri@stunnel.org> explained :
	

	If you use Stunnel  with  the  \'-n  smtp\',  \'-n  pop\',  \'-n  nntp\'
	options in client mode (\'-c\'),  a  malicous  server  could  abuse  the
	format string bug to run arbitrary code as  the  owner  of  the  Stunnel
	process.
	

	...
	

	There is no vulnerability unless you are invoking Stunnel with the  \'-n
	smtp\', \'-n pop\', or \'-n nntp\' options in client mode. There are  no
	format string bugs in Stunnel when run as an SSL server.

SOLUTION

	Upgrade to Stunnel-3.22, which is not vulnerable to these bugs
	

	or
	

	Apply the following patch to your version of Stunnel and recompile:
	

	http://www.stunnel.org/patches/desc/formatbug_ml.html