Full Disclosure mailing list archives
Re: Webmin miniserv.pl format string vulnerability
From: Jack <jack () rapturesecurity org>
Date: Tue, 29 Nov 2005 02:44:45 -0800
On Tue, 29 Nov 2005 11:22:31 +0100 Joachim Schipper <j.schipper () math uu nl> wrote:
On Tue, Nov 29, 2005 at 02:07:10AM -0800, advisory () dyadsecurity com wrote:SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to a new class of exploitable (remote code) perl format string vulnerabilities.DESCRIPTION. The username parameter of the login form is logged via the perl `syslog' facility in an unsafe manner during a unknown user login attempt. the perl syslog facility passes the username on to the variable argument function sprintf that will treat any format specifiers and process them accordingly.The following is the section of code in question. (from miniserv.pl) if ($use_syslog && !$validated) { syslog("crit", ($nonexist ? "Non-existent" : $expired ? "Expired" : "Invalid"). " login as $authuser from $acpthost"); } As can be clearly seen with this section of code, the user supplied data is clearly within the format specification of the syslog call.I'm sorry, but where's the 'new class'? I am far from an expert, but is this not just a plain format string attack? Joachim
perl is not C, format strings in perl can still lead to remote code execution, more details will be available in the future. without full details it isnt clear, sorry about that. think of new class as still vulnerable in high level languages that do not have problems with format strings. The context was `new class of exploitable (remote code) perl format string ...'. -- Jack - jack () dyadsecurity com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Webmin miniserv.pl format string vulnerability advisory (Nov 29)
- Message not available
- Re: Webmin miniserv.pl format string vulnerability Jack (Nov 29)
- Message not available
- Re: Webmin miniserv.pl format string vulnerability H D Moore (Nov 29)
- Re: Webmin miniserv.pl format string vulnerability Bernhard Mueller (Nov 29)