CVE-2004-0623

Vulnerability

A format string vulnerability exists in the misc.c file of GNU GNATS version 4.00. The vulnerability occurs when a string containing format specifiers is passed directly to the syslog() function without proper sanitization. The problematic code path is triggered when the SYSLOG case is selected, and syslog(severity, buf) is called with a user-controllable buf parameter [1].

Exploitation

An attacker can send a crafted string containing format specifiers (e.g., %n, %x) to the GNATS application, which then logs this string via syslog. No authentication is required if the GNATS service is exposed to the network. The attacker does not need special privileges; the attack can be performed remotely by any user able to send input that gets processed by the vulnerable code path [1].

Impact

If successfully exploited, the format string vulnerability may allow an attacker to execute arbitrary code on the target system. The impact includes complete compromise of the GNATS service, potentially leading to data loss, information disclosure, or further lateral movement within the network. The risk is rated low/medium by the discoverer [1].

Mitigation

No official patch was available at the time of disclosure (June 2004). The vendor was notified but no fix was provided. As of the publication date, users must rely on workarounds such as disabling syslog logging in GNATS or restricting network access to the service. The software may be end-of-life; upgrading to a maintained fork or alternative bug-tracking system is recommended [1].