lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <E1Ehs0W-0008OR-Gq@www1.emo.freenet-rz.de>
Date: Thu Dec  1 19:05:56 2005
From: craig at freenet.de (craig@...enet.de)
Subject: re: webmin remote format string bug

An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051201/28b6f430/attachment-0001.html
-------------- next part --------------
Hello!
I succeeded in crashing webmin 1.230 with:

username %n
password aaaa

after klicking 4 times on "Login" webmin was dead.
There were no logs at all, and no error was shown in the web interface...
Any idea if it's really exploitable (executing code I mean)? Is anyone working on a POC?

giarc@...eet.de


Original message: ---------------------------------------------------------


To: full-disclosure@...ts.grok.org.uk
Date: Tue, 29 Nov 2005 11:15:20 -0600

On Tuesday 29 November 2005 04:07, advisory@...dsecurity.com wrote:
> [snip ] so so if remote code execution is successful, it would
> lead to a full remote root compromise in a standard configuration.

> DESCRIPTION.  The username parameter of the login form is logged via
> the perl `syslog' facility in an unsafe manner during a unknown user
> login attempt. the perl syslog facility passes the username on to the
> variable argument function sprintf that will treat any format
> specifiers and process them accordingly.
>
> DETAILS.  The vectors for a simple DoS of the web server are to use the
> %n and %0(large number)d inside of the username parameter, with the
> former causing a write protection fault within perl leading to script
> abortion, and the latter causing a large amount of memory to be
> allocated inside of the perl process.

Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7
and don't see how this can be exploitable.  The %n specifier results in
the following error message:

$ perl -e 'sprintf("%n")'
Modification of a read-only value attempted at -e line 1.

Using a thousand %p's results in the same address (presumably of the
temporary char *) over and over again

It is possible to memory starve webmin with a long %9999999999d string,
but arbitrary memory writes seem to be out of the question.
What version of perl was used by the third-party to exploit this?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ