ayttm proxy.c http_connect format string

Vulnerability

A format string vulnerability exists in ayttm versions up to 0.5.0.89. The function http_connect in libproxy/proxy.c constructs a debug buffer by concatenating user-controlled input (inputline) using snprintf and then passes that buffer to debug_print (a wrapper around printf) as a format string argument [1][2]. This allows an attacker to control the format string, leading to arbitrary read/write and potentially code execution. The issue was reported by a researcher analyzing the code [2].

Exploitation

An attacker can trigger this vulnerability remotely by sending a specially crafted response to an HTTP proxy request made by ayttm. The attack requires that the DEBUG macro is not defined (which was the default in the affected code) [1]. The attacker must be able to intercept or control the network traffic to inject a malicious inputline into the http_connect function. While the complexity is considered high, a successful exploit could be achieved if the attacker can control the content of the HTTP response headers [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the ayttm process. This could lead to complete compromise of the affected system, including data theft, installation of malware, or further lateral movement. The vulnerability was classified as critical [1].

Mitigation

The vulnerability is fixed in commit 40e04680018614a7d2b68566b261b061a0597046 [1]. Users should apply the patch or upgrade to a version of ayttm that includes this fix. There is no known workaround. The patch modifies http_connect to remove the vulnerable debug_buff variable and instead pass a literal format string with the data as arguments, preventing the format string injection [1].