lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20051129024445.c0b0a9c4.jack@rapturesecurity.org>
Date: Tue Nov 29 10:44:54 2005
From: jack at rapturesecurity.org (Jack)
Subject: Webmin miniserv.pl format string vulnerability

On Tue, 29 Nov 2005 11:22:31 +0100
Joachim Schipper <j.schipper@...h.uu.nl> wrote:

> On Tue, Nov 29, 2005 at 02:07:10AM -0800, advisory@...dsecurity.com wrote:
> > SUMMARY.  The webmin `miniserv.pl' web server component is vulnerable to
> > a new class of exploitable (remote code) perl format string
> > vulnerabilities. 
> 
> > DESCRIPTION.  The username parameter of the login form is logged via the
> > perl `syslog' facility in an unsafe manner during a unknown user login
> > attempt. the perl syslog facility passes the username on to the variable
> > argument function sprintf that will treat any format specifiers and
> > process them accordingly.
> 
> > The following is the section of code in question. (from miniserv.pl)
> > 
> > if ($use_syslog && !$validated) {
> >         syslog("crit",
> >                ($nonexist ? "Non-existent" :
> >                 $expired ? "Expired" : "Invalid").
> >                " login as $authuser from $acpthost");
> >         }
> > 
> > As can be clearly seen with this section of code, the user supplied data
> > is clearly within the format specification of the syslog call.
> 
> I'm sorry, but where's the 'new class'? I am far from an expert, but is
> this not just a plain format string attack?
> 
> 		Joachim

perl is not C, format strings in perl can still lead to remote code execution, more details will be
available in the future. without full details it isnt clear, sorry about that. think of new class
as still vulnerable in high level languages that do not have problems with format strings. The 
context was `new class of exploitable (remote code) perl format string ...'.

-- 
Jack
- jack@...dsecurity.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ