| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200511291115.21065.fdlist@digitaloffense.net>
Date: Tue Nov 29 17:15:28 2005
From: fdlist at digitaloffense.net (H D Moore)
Subject: Webmin miniserv.pl format string vulnerability
On Tuesday 29 November 2005 04:07, advisory@...dsecurity.com wrote:
> [snip ] so so if remote code execution is successful, it would
> lead to a full remote root compromise in a standard configuration.
> DESCRIPTION. ?The username parameter of the login form is logged via
> the perl `syslog' facility in an unsafe manner during a unknown user
> login attempt. the perl syslog facility passes the username on to the
> variable argument function sprintf that will treat any format
> specifiers and process them accordingly.
>
> DETAILS. ?The vectors for a simple DoS of the web server are to use the
> %n and %0(large number)d inside of the username parameter, with the
> former causing a write protection fault within perl leading to script
> abortion, and the latter causing a large amount of memory to be
> allocated inside of the perl process.
Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7
and don't see how this can be exploitable. ?The %n specifier results in
the following error message:
$ perl -e 'sprintf("%n")'
Modification of a read-only value attempted at -e line 1.
Using a thousand %p's results in the same address (presumably of the
temporary char *) over and over again
It is possible to memory starve webmin with a long %9999999999d string,
but arbitrary memory writes seem to be out of the question.
What version of perl was used by the third-party to exploit this?
-HD
Powered by blists - more mailing lists