Full Disclosure mailing list archives

re: webmin remote format string bug

From: craig () freenet de
Date: Thu, 01 Dec 2005 18:14:08 +0100

Hello!
I succeeded in crashing webmin 1.230 with:

username %n
password aaaa

after klicking 4 times on "Login" webmin was dead.
There were no logs at all, and no error was shown in the web interface...
Any idea if it's really exploitable (executing code I mean)? Is anyone working on a POC?

giarc () freeet de


Original message: ---------------------------------------------------------


To: full-disclosure () lists grok org uk
Date: Tue, 29 Nov 2005 11:15:20 -0600

On Tuesday 29 November 2005 04:07, advisory () dyadsecurity com wrote:

[snip ] so so if remote code execution is successful, it would
lead to a full remote root compromise in a standard configuration.

DESCRIPTION.  The username parameter of the login form is logged via
the perl `syslog' facility in an unsafe manner during a unknown user
login attempt. the perl syslog facility passes the username on to the
variable argument function sprintf that will treat any format
specifiers and process them accordingly.

DETAILS.  The vectors for a simple DoS of the web server are to use the
%n and %0(large number)d inside of the username parameter, with the
former causing a write protection fault within perl leading to script
abortion, and the latter causing a large amount of memory to be
allocated inside of the perl process.


Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7
and don't see how this can be exploitable.  The %n specifier results in
the following error message:

$ perl -e 'sprintf("%n")'
Modification of a read-only value attempted at -e line 1.

Using a thousand %p's results in the same address (presumably of the
temporary char *) over and over again

It is possible to memory starve webmin with a long %9999999999d string,
but arbitrary memory writes seem to be out of the question.
What version of perl was used by the third-party to exploit this?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

re: webmin remote format string bug giarc (Dec 01)
- <Possible follow-ups>
- re: webmin remote format string bug craig (Dec 01)
  - Re: re: webmin remote format string bug Dave Aitel (Dec 01)