Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 113888 - app-admin/{webmin|usermin} possible miniserv.pl format string vulnerability
Summary: app-admin/{webmin|usermin} possible miniserv.pl format string vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-29 03:02 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2019-12-08 22:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-29 03:02:32 UTC
Possible webmin issue: 
 
SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to  
 a new class of exploitable (remote code) perl format string  
 vulnerabilities. During the login process it is possible to trigger this  
 vulnerability via a crafted username parameter containing format string  
 data. In the observed configuration the process was running as the user  
 root, so so if remote code execution is successful, it would lead to a  
 full remote root compromise in a standard configuration. A valid login  
 is not required to trigger this vulnerability, only access to the  
 miniserv.pl port (default 10000).  
  
Date Found: September 23, 2005.  
 Public Release: November 29, 2005.  
 Application: webmin miniserv.pl, all known versions  
 Credit: Jack Louis of Dyad Security  
  
BACKGROUND. miniserv.pl is a part of the webmin system administration  
 front end, written in perl by Jamie Cameron. more details are available  
 at http://www.webmin.com.  
  
DESCRIPTION. The username parameter of the login form is logged via the  
 perl `syslog' facility in an unsafe manner during a unknown user login  
 attempt. the perl syslog facility passes the username on to the variable  
 argument function sprintf that will treat any format specifiers and  
 process them accordingly.  
  
DETAILS. The vectors for a simple DoS of the web server are to use the  
 %n and %0(large number)d inside of the username parameter, with the  
 former causing a write protection fault within perl leading to script  
 abortion, and the latter causing a large amount of memory to be  
 allocated inside of the perl process.  
  
A generic remote code execution exploit method has been developed by a  
 third party that is reachable though this hole itself.  
  
The following is the section of code in question. (from miniserv.pl)  
  
if ($use_syslog && !$validated) {  
         syslog("crit",  
                ($nonexist ? "Non-existent" :  
                 $expired ? "Expired" : "Invalid").  
                " login as $authuser from $acpthost");  
         }  
  
As can be clearly seen with this section of code, the user supplied data  
 is clearly within the format specification of the syslog call.  
  
Additional information and sample work around patches can be found at  
 http://www.dyadsecurity.com/webmin-0001.html
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-11-29 11:17:00 UTC
eradicator, please bump with appropriate format string patches.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-11-29 11:21:18 UTC
Apparently this is under discussion on FD, we should probably first reproduce
rather than blindly patching :

"Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 
and don't see how this can be exploitable.  The %n specifier results in 
the following error message:

$ perl -e 'sprintf("%n")'
Modification of a read-only value attempted at -e line 1.

Using a thousand %p's results in the same address (presumably of the 
temporary char *) over and over again

It is possible to memory starve webmin with a long %9999999999d string, 
but arbitrary memory writes seem to be out of the question.

What version of perl was used by the third-party to exploit this?"
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-30 13:42:09 UTC
The following versions contain the fix:
usermin 1.180
webmin 1.250

Need keywording:

alpha - webmin, usermin
hppa - webmin, usermin
mips - webmin (for about 3 exploits)
ppc - webmin, usermin
ppc64 - webmin, usermin
s390 - webmin
sh - webmin
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-12-01 00:28:12 UTC
Looks like you need a very specific/old/borked version of Perl for this to
work... not even sure it's possible to find an affecetd one with Gentoo.
 
eradicator: did you reproduce the thing ?
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2005-12-01 01:02:20 UTC
No, I didn't try reproducing the exploit on my box.  I just bumped the versions
in portage and tested them to work properly.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-12-01 01:55:32 UTC
OK, this is confirmed. Arches please test and mark stable accordingly.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-12-01 03:15:12 UTC
Note: this should probably be fixed Perl-wide through bug 114113...
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2005-12-01 06:28:50 UTC
stable on ppc64 
Comment 9 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-12-01 15:21:35 UTC
Stable on alpha
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2005-12-02 01:00:40 UTC
Marked ppc stable.
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-04 10:16:17 UTC
hppa done.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-07 22:41:13 UTC
GLSA 200512-02 
 
arm, mips, s390 don't forget to mark stable to benifit from the GLSA. 
Comment 13 Michael Cummings (RETIRED) gentoo-dev 2005-12-14 03:23:59 UTC
http://use.perl.org/article.pl?sid=05/12/13/1258222 - Sys::Syslog patch/update
is available that would also fix this (since that's the module that exposes *min
to the bug as I understand it). Just adding in case its worthy,

~mcummings