Dailydave mailing list archives
Re: Webmin miniserv.pl format string vulnerability
From: Bas Alberts <bas.alberts () immunitysec com>
Date: Tue, 29 Nov 2005 18:34:52 -0500
Hi, To summarise: ... CANVAS$ bash-2.05b$ ./exploits/webmin/webmin.py -v0 -t192.168.1.104 -p10000 ... Program received signal SIGTRAP, Trace/breakpoint trap. 0x0847ec51 in ?? () (gdb) ... I did a little paper on the how and what of perl fs bugs which we'll release sometime soon I believe. It's fairly straightforward though, and anyone who takes the time to read Perl's internal formatting handlers should be able to figure this one out relatively quickly. I'd never looked at them before because I'd never played with fs bugs in Perl code before..but much of the logic remains true..the semantics are just shifted to Perl internals. Anyhoo, we devised a pretty simple way to get a generic write primitive off of it, which seems to work pretty well. Love, Bas On Tue, Nov 29, 2005 at 12:19:23PM -0600, H D Moore wrote:
On Tuesday 29 November 2005 04:07, advisory () dyadsecurity com wrote:[snip ] so so if remote code execution is successful, it would lead to a full remote root compromise in a standard configuration.DESCRIPTION. ?The username parameter of the login form is logged via the perl `syslog' facility in an unsafe manner during a unknown user login attempt. the perl syslog facility passes the username on to the variable argument function sprintf that will treat any format specifiers and process them accordingly. DETAILS. ?The vectors for a simple DoS of the web server are to use the %n and %0(large number)d inside of the username parameter, with the former causing a write protection fault within perl leading to script abortion, and the latter causing a large amount of memory to be allocated inside of the perl process.Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 and don't see how this can be exploitable. ?The %n specifier results in the following error message: $ perl -e 'sprintf("%n")' Modification of a read-only value attempted at -e line 1. Using a thousand %p's results in the same address (presumably of the temporary char *) over and over again It is possible to memory starve webmin with a long %9999999999d string, but arbitrary memory writes seem to be out of the question. What version of perl was used by the third-party to exploit this? Does anyone else have experience exploiting sprintf() calls in the perl interpreter? -HD
Attachment:
_bin
Description:
Current thread:
- Webmin miniserv.pl format string vulnerability advisory (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability H D Moore (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability Dave Aitel (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability H D Moore (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability Bas Alberts (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability Dave Aitel (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability H D Moore (Nov 29)