dest-unreach / socat / advisory / advisory1
socat up to version 1.4.0.2 contains a syslog() based format string vulnerability. This issue was originally reported by CoKi on 19 Oct.2004 http://www.nosystem.com.ar/advisories/advisory-07.txt. Further investigation showed that this vulnerability could under some circumstances lead to local or remote execution of arbitrary code with the privileges of the socat process.
An attack based on this vulnerability is only possible if socat logs to syslog (option -ly). For exploitation, the attacker must be able to insert a taylored format string into a log message.
A local exploit might be possible if socat is listening on a UNIX domain socket and logs to syslog with debug level 2 (-d -d) or higher. If the attacker has the permissions to connect to the socket, he could provide malicious data to execute arbitrary code with the privileges of the socat process.
A remote attack requires that the user invokes socat as HTTP proxy client (address PROXY), logs to syslog, and the attacker spoofes a proxy server where socat connects. The attacker could provide malicious data that might lead to remote code execution with the privileges of the socat process.
Other attack vectors might exist.
All platforms are affected.