Info

Disclosure

Apr 15, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

sSMTP contains a flaw that may allow a malicious user to gain the privileges of the ssmtp process. The issue is triggered when untrusted values in the functions log_event() is passed to printf-like functions as format strings. It is possible that the flaw may allow remote mail relay to gain the privileges of the ssmtp process resulting in a loss of confidentiality and/or integrity.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

All Vendors	sSMTP	2.50.x
		2.60.x

References

Related OSVDB ID: 5360
Vendor Specific Advisory URL: http://bugs.gentoo.org/show_bug.cgi?id=47918
http://www.gentoo.org/security/en/glsa/glsa-200404-18.xml
Secunia Advisory ID: 11378
CVE ID: 2004-0156 (see also: NVD)
Vendor Specific Solution URL: http://www.debian.org/security/2004/dsa-485
Security Tracker: 1009788 1009790
Vendor URL: http://larve.net/people/hugo/2001/02/ssmtp/

Credit

Max Vozeler - maxhinterhof.net -

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

All Vendors

sSMTP

References

Credit