CVE-2004-0354

Vulnerability

GNU Anubis versions 3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93 contain multiple format string bugs in three functions: the info() function in log.c, the anubis_error() function in errs.c, and the ssl_error() function in ssl.c. These functions pass user-supplied strings directly to syslog() or a logging function that interprets format string specifiers, allowing an attacker to supply malicious format tokens [1][2].

Exploitation

An unauthenticated remote attacker can exploit these vulnerabilities by sending specially crafted data—such as SMTP commands or other network input—that includes format string specifiers (e.g., %n, %x) to the Anubis service. No prior authentication is required, as the vulnerable code paths are reachable before privilege separation occurs [1]. The attacker does not need a local account; network access to the Anubis proxy port is sufficient.

Impact

Successful exploitation allows arbitrary code execution with the privileges of the Anubis process, which typically runs as root and drops privileges only after certain processing stages. An attacker can achieve full remote compromise, potentially gaining root access to the mail server [1].

Mitigation

The vendor (GNU Anubis Team) released patches for versions 3.6.2 and 3.9.93 on February 28, 2004, available from the Savannah patch tracker [2]. Users should upgrade to the patched versions or apply the official vendor patches. Later versions (post-3.9.93) already include the fix. For unsupported versions (3.6.0, 3.6.1, 3.9.92), upgrading to a patched release is mandatory [1][2].