VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 6, 2004· Updated Apr 16, 2026

CVE-2004-0393

CVE-2004-0393

Description

Format string vulnerability in rlprd 2.0.4 allows remote unauthenticated attackers to execute arbitrary code via syslog.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Format string vulnerability in rlprd 2.0.4 allows remote unauthenticated attackers to execute arbitrary code via syslog.

Vulnerability

A format string vulnerability exists in the msg function of the rlpr daemon (rlprd) version 2.0.4. The daemon reads a 64-byte buffer from a connecting client and attempts to resolve it. If the resolution fails, the buffer is passed as a format string argument to syslog(), allowing format specifiers to be interpreted [1].

Exploitation

An attacker can exploit this remotely without authentication by connecting to the rlprd server and sending a specially crafted buffer containing format string specifiers such as %n and %x. The buffer is read and, if it cannot be resolved, passed directly to syslog(). The attacker controls the format string, enabling arbitrary memory writes [1].

Impact

Successful exploitation allows arbitrary code execution with root privileges, as rlprd typically runs as root [1][2]. This gives the attacker full control over the affected system.

Mitigation

Debian released security advisory DSA-524 on 2004-06-24, which provides fixed packages for Debian GNU/Linux 3.0 (woody) [2]. Users should upgrade to the patched version of rlprd. No workaround is available; upgrading is the only mitigation.

References
  1. 'Rlpr Advisory' - MARC
  2. Debian -- The Universal Operating System

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Rlpr/Rlpr6 versions
    cpe:2.3:a:rlpr:rlpr:2.0:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:rlpr:rlpr:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rlpr:rlpr:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rlpr:rlpr:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rlpr:rlpr:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rlpr:rlpr:2.0.4:*:*:*:*:*:*:*
    • (no CPE)range: =2.0.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The msg function in rlprd 2.0.4 passes user-supplied input directly to syslog without proper sanitization, leading to format string vulnerabilities."

Attack vector

A remote attacker can connect to the rlprd server and send a specially crafted buffer containing format string specifiers. The server reads a maximum of a 64-byte buffer. If this buffer cannot be successfully resolved, it is passed to the syslog function, triggering the format string vulnerability and potentially allowing arbitrary code execution [ref_id=1].

Affected code

The vulnerability exists in the msg function within the rlprd daemon (rlprd 2.0.4) which calls the syslog function with user-supplied input that is not properly resolved [ref_id=1].

What the fix does

The advisory does not specify a patch or provide details on a fix. It indicates that the vulnerability is in the logging function calls to syslog without any format specifier, and that user-supplied input as an argument leads to a format string exploit [ref_id=1]. Users are advised to upgrade to a non-vulnerable version.

Preconditions

  • networkThe attacker must be able to connect to the rlprd server.
  • inputThe attacker must be able to send a buffer containing format string specifiers to the server.

Reproduction

http://www.felinemenace.org/exploits/rlprd.py

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.