On Tue, 29 Nov 2005 11:22:31 +0100
Joachim Schipper <j.schipper@math.uu.nl> wrote:
On Tue, Nov 29, 2005 at 02:07:10AM -0800, advisory@dyadsecurity.com wrote:
SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to
a new class of exploitable (remote code) perl format string
vulnerabilities.
DESCRIPTION. The username parameter of the login form is logged via the
perl `syslog' facility in an unsafe manner during a unknown user login
attempt. the perl syslog facility passes the username on to the variable
argument function sprintf that will treat any format specifiers and
process them accordingly.
The following is the section of code in question. (from miniserv.pl)
if ($use_syslog && !$validated) {
syslog("crit",
($nonexist ? "Non-existent" :
$expired ? "Expired" : "Invalid").
" login as $authuser from $acpthost");
}
As can be clearly seen with this section of code, the user supplied data
is clearly within the format specification of the syslog call.
I'm sorry, but where's the 'new class'? I am far from an expert, but is
this not just a plain format string attack?
Joachim
perl is not C, format strings in perl can still lead to remote code execution,
more details will be
available in the future. without full details it isnt clear, sorry about that.
think of new class
as still vulnerable in high level languages that do not have problems with
format strings. The
context was `new class of exploitable (remote code) perl format string ...'.
--
Jack
- jack@dyadsecurity.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
