lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri Apr 15 07:08:42 2005
From: pbieringer at aerasec.de (Dr. Peter Bieringer)
Subject: Use of function "log" in Perl module Net::Server
 can lead to format string vulnerability if syslog is used

Hi,

Module: Net::Server
Affected version: 0.87 and probably below
Latest available version: 0.87 from 14. Feb 2004
URL: <http://search.cpan.org/~bbb/Net-Server-0.87/> 

during investigating a remote DoS against postgrey <= 1.18 (1.21 is already
available now!) it was found with help of David Schweikert and Stefan
Schmidt that the "log" function in Net::Server Perl module is not safe
against format string vulnerability.

See also thread on postgrey mailing list:
 <http://lists.ee.ethz.ch/postgrey/msg00627.html>


Note that the "log" function itself isn't documentated at all in the
Server.pm, but at least used by "postgrey" (and probably by other software,
too).

The syslog call in function log is implemented like following:

  ### log only to syslog if setup to do syslog
  if( $prop->{log_file} eq 'Sys::Syslog' ){
    $level = $level!~/^\d+$/ ? $level : $Net::Server::syslog_map->{$level} ;
    Sys::Syslog::syslog($level,@_);   <---!!!!!!
    return;
  }


Sys::Syslog tells how to use function "syslog":

       syslog $priority, $format, @args
           If $priority permits, logs ($format, @args) printed as by
           "printf(3V)", with the addition that %m is replaced with "$!"
(the
           latest error message).


Unfortunately, the function "log" of Net::Server put now the first given
log argument into "syslog" function as format string, and the others as
arguments.

I do not believe this was the intention of the programmer(s) of
Net::Server, because during a quick code check I do not found any piece of
code like
          $self->log(0,$formatstring, $string)
at all, only
          $self->log(0,$string)


Also the "write_to_log_hook" (in case of file is used as log channel) do
not interpret first string token as format string at all (and uses btw only
one string argument for printing, not more).

So I think this is more a mistake that a feature...a time bomb as we see
now :((


I do not have the time to investigate which network related programs uses
the "log" function of Net::Server (at least "postgrey" does). But I think
it would be important to look for them and check them.

As a workaround, programs using "log" of Net::Server can replace a single
"%" by "%%", but only in case of syslog is used...

Probably (untested) solution would be to fix the syslog calling code in
Net::Server from
    Sys::Syslog::syslog($level,@_);
to e.g.
    Sys::Syslog::syslog($level,"%s", $_[0]);
  (hopefully I'm right...it's untested)


Possible impact of such fix: programs which call "log" of Net::Server with
format string in first log argument will break. But this would already
break logging into a file if I understand the "write_to_log_hook" code.

Hope this helps,

        Dr. Peter Bieringer
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Stra?e 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@...asec.de
Germany                                Internet: http://www.aerasec.de

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ