[Dailydave] Webmin miniserv.pl format string vulnerability
Dave Aitel
dave at immunitysec.com
Tue Nov 29 13:30:01 EST 2005
It's definitely possible. I threw up Bas's efforts into Immunity
Partner's a few minutes ago. Bas has the flu, or he'd respond, but we
did all our testing on Suse 9.3 so far, I believe.
In other words: Jack is not full of it. :>
Thanks,
Dave Aitel
Immunity, Inc.
H D Moore wrote:
> On Tuesday 29 November 2005 04:07, advisory at dyadsecurity.com wrote:
>
>> [snip ] so so if remote code execution is successful, it would
>> lead to a full remote root compromise in a standard configuration.
>>
>
>
>> DESCRIPTION. The username parameter of the login form is logged via
>> the perl `syslog' facility in an unsafe manner during a unknown user
>> login attempt. the perl syslog facility passes the username on to the
>> variable argument function sprintf that will treat any format
>> specifiers and process them accordingly.
>>
>> DETAILS. The vectors for a simple DoS of the web server are to use the
>> %n and %0(large number)d inside of the username parameter, with the
>> former causing a write protection fault within perl leading to script
>> abortion, and the latter causing a large amount of memory to be
>> allocated inside of the perl process.
>>
>
> Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7
> and don't see how this can be exploitable. The %n specifier results in
> the following error message:
>
> $ perl -e 'sprintf("%n")'
> Modification of a read-only value attempted at -e line 1.
>
> Using a thousand %p's results in the same address (presumably of the
> temporary char *) over and over again
>
> It is possible to memory starve webmin with a long %9999999999d string,
> but arbitrary memory writes seem to be out of the question.
>
> What version of perl was used by the third-party to exploit this?
>
> Does anyone else have experience exploiting sprintf() calls in the perl
> interpreter?
>
> -HD
>
More information about the Dailydave
mailing list