Re: Webmin miniserv.pl format string vulnerability

[Jack <jack () rapturesecurity org>]

On Tue, 29 Nov 2005 11:22:31 +0100
Joachim Schipper <j.schipper () math uu nl> wrote:

> On Tue, Nov 29, 2005 at 02:07:10AM -0800, advisory () dyadsecurity com wrote:
> > SUMMARY.  The webmin `miniserv.pl' web server component is vulnerable to
> > a new class of exploitable (remote code) perl format string
> > vulnerabilities. 
>
> > DESCRIPTION.  The username parameter of the login form is logged via the
> > perl `syslog' facility in an unsafe manner during a unknown user login
> > attempt. the perl syslog facility passes the username on to the variable
> > argument function sprintf that will treat any format specifiers and
> > process them accordingly.
>
> > The following is the section of code in question. (from miniserv.pl)
> >
> > if ($use_syslog && !$validated) {
> >         syslog("crit",
> >                ($nonexist ? "Non-existent" :
> >                 $expired ? "Expired" : "Invalid").
> >                " login as $authuser from $acpthost");
> >         }
> >
> > As can be clearly seen with this section of code, the user supplied data
> > is clearly within the format specification of the syslog call.
>
> I'm sorry, but where's the 'new class'? I am far from an expert, but is
> this not just a plain format string attack?
>
>               Joachim

perl is not C, format strings in perl can still lead to remote code execution, more details will be
available in the future. without full details it isnt clear, sorry about that. think of new class
as still vulnerable in high level languages that do not have problems with format strings. The 
context was `new class of exploitable (remote code) perl format string ...'.

-- 
Jack
- jack () dyadsecurity com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/