Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Possible webmin issue: SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to a new class of exploitable (remote code) perl format string vulnerabilities. During the login process it is possible to trigger this vulnerability via a crafted username parameter containing format string data. In the observed configuration the process was running as the user root, so so if remote code execution is successful, it would lead to a full remote root compromise in a standard configuration. A valid login is not required to trigger this vulnerability, only access to the miniserv.pl port (default 10000). Date Found: September 23, 2005. Public Release: November 29, 2005. Application: webmin miniserv.pl, all known versions Credit: Jack Louis of Dyad Security BACKGROUND. miniserv.pl is a part of the webmin system administration front end, written in perl by Jamie Cameron. more details are available at http://www.webmin.com. DESCRIPTION. The username parameter of the login form is logged via the perl `syslog' facility in an unsafe manner during a unknown user login attempt. the perl syslog facility passes the username on to the variable argument function sprintf that will treat any format specifiers and process them accordingly. DETAILS. The vectors for a simple DoS of the web server are to use the %n and %0(large number)d inside of the username parameter, with the former causing a write protection fault within perl leading to script abortion, and the latter causing a large amount of memory to be allocated inside of the perl process. A generic remote code execution exploit method has been developed by a third party that is reachable though this hole itself. The following is the section of code in question. (from miniserv.pl) if ($use_syslog && !$validated) { syslog("crit", ($nonexist ? "Non-existent" : $expired ? "Expired" : "Invalid"). " login as $authuser from $acpthost"); } As can be clearly seen with this section of code, the user supplied data is clearly within the format specification of the syslog call. Additional information and sample work around patches can be found at http://www.dyadsecurity.com/webmin-0001.html
eradicator, please bump with appropriate format string patches.
Apparently this is under discussion on FD, we should probably first reproduce rather than blindly patching : "Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 and don't see how this can be exploitable. The %n specifier results in the following error message: $ perl -e 'sprintf("%n")' Modification of a read-only value attempted at -e line 1. Using a thousand %p's results in the same address (presumably of the temporary char *) over and over again It is possible to memory starve webmin with a long %9999999999d string, but arbitrary memory writes seem to be out of the question. What version of perl was used by the third-party to exploit this?"
The following versions contain the fix: usermin 1.180 webmin 1.250 Need keywording: alpha - webmin, usermin hppa - webmin, usermin mips - webmin (for about 3 exploits) ppc - webmin, usermin ppc64 - webmin, usermin s390 - webmin sh - webmin
Looks like you need a very specific/old/borked version of Perl for this to work... not even sure it's possible to find an affecetd one with Gentoo. eradicator: did you reproduce the thing ?
No, I didn't try reproducing the exploit on my box. I just bumped the versions in portage and tested them to work properly.
OK, this is confirmed. Arches please test and mark stable accordingly.
Note: this should probably be fixed Perl-wide through bug 114113...
stable on ppc64
Stable on alpha
Marked ppc stable.
hppa done.
GLSA 200512-02 arm, mips, s390 don't forget to mark stable to benifit from the GLSA.
http://use.perl.org/article.pl?sid=05/12/13/1258222 - Sys::Syslog patch/update is available that would also fix this (since that's the module that exposes *min to the bug as I understand it). Just adding in case its worthy, ~mcummings
