Multiple Vendor Cfengine Format String Vulnerability
Cfengine is a language-based system for testing and configuring unix-like systems attached to a TCP/IP network. cfd, the cfengine daemon component which serves as a remote-configuration client to cfengine, contains several improperly-designed calls to syslog(). As a result, trusted hosts (or any user, if access controls are not employed) may create and transmit a malicious message to the network daemon containing user-supplied format specifiers. At the very least, it is easy for a user to crash the service. By sending certain format specifiers, it is also possible for malicious users to write to portions of the program's stack and alter the flow of execution. If successful, an attcker can have arbitrary code execute with the privileges of the daemon (root).
The following is excerpted verbatim from the original bugtraq posting by Pekka Savola <Pekka.Savola@netcore.fi>:
"VERSIONS AND PLATFORMS AFFECTED:
Every recent version except 1.6.0a11 released on 1st Oct 2000.
1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools. Debian, at least, includes cfengine
as a package.
I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform."