dest-unreach / socat / advisory / advisory1

socat Security Advisory 1


socat up to version contains a syslog() based format string vulnerability. This issue was originally reported by CoKi on 19 Oct.2004 Further investigation showed that this vulnerability could under some circumstances lead to local or remote execution of arbitrary code with the privileges of the socat process.

Conditions and Impact

An attack based on this vulnerability is only possible if socat logs to syslog (option -ly). For exploitation, the attacker must be able to insert a taylored format string into a log message.

A local exploit might be possible if socat is listening on a UNIX domain socket and logs to syslog with debug level 2 (-d -d) or higher. If the attacker has the permissions to connect to the socket, he could provide malicious data to execute arbitrary code with the privileges of the socat process.

A remote attack requires that the user invokes socat as HTTP proxy client (address PROXY), logs to syslog, and the attacker spoofes a proxy server where socat connects. The attacker could provide malicious data that might lead to remote code execution with the privileges of the socat process.

Other attack vectors might exist.


All platforms are affected.


Disable logging to syslog (do not use option -ly).


Update socat to version that fixes this vulnerability.


CoKi published an advisory with example exploit and informed the author.