sslh Packet Dumping probe.c hexdump format string

Vulnerability

A format string vulnerability exists in sslh (SSL/SSH multiplexer) in the hexdump function of probe.c. The issue occurs when the packet dumping handler is enabled and processes a packet containing ASCII format specifiers such as %s, %c, %p, etc. The function calls print_message(msg_info, str) with the untrusted string directly as the format argument, instead of using print_message(msg_info, "%s", str). This flaw was introduced in release candidate v2.0-rc1 (commit e5f16b9) and affects only this version; no stable release is vulnerable. The fix is commit b19f8a6046b080e4c2e28354a58556bb26040c6f [1][2].

Exploitation

An attacker can exploit this vulnerability remotely by sending a specially crafted network packet that includes format string specifiers (e.g., %s, %c, %x, %n) to a sslh instance running v2.0-rc1 with packet dumping enabled. No authentication or special privileges are required beyond network access to the sslh service. The hexdump function processes the packet content and passes it as a format string to print_message, allowing the attacker to control the format arguments [1].

Impact

Successful exploitation can lead to arbitrary memory read/write, potentially resulting in information disclosure (reading stack/heap data), denial of service (crashing the process), or arbitrary code execution (if %n is used to write to memory). The attacker may gain the ability to execute arbitrary code with the privileges of the sslh process, which typically runs as root or a dedicated user, leading to full compromise of the affected system [1][2].

Mitigation

The vulnerability is fixed in commit b19f8a6046b080e4c2e28354a58556bb26040c6f. Users running sslh v2.0-rc1 should apply the patch immediately by updating to the latest source code, or upgrade to a subsequent release (e.g., v2.0-rc2, which was planned to include the fix). As no stable version is affected, users on stable releases (e.g., v1.x series) are not vulnerable. No workaround is available for v2.0-rc1 other than disabling packet dumping or applying the patch. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1][2].