On Tuesday 29 November 2005 04:07, [EMAIL PROTECTED] wrote: > [snip ] so so if remote code execution is successful, it would > lead to a full remote root compromise in a standard configuration.
> DESCRIPTION. The username parameter of the login form is logged via > the perl `syslog' facility in an unsafe manner during a unknown user > login attempt. the perl syslog facility passes the username on to the > variable argument function sprintf that will treat any format > specifiers and process them accordingly. > > DETAILS. The vectors for a simple DoS of the web server are to use the > %n and %0(large number)d inside of the username parameter, with the > former causing a write protection fault within perl leading to script > abortion, and the latter causing a large amount of memory to be > allocated inside of the perl process. Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 and don't see how this can be exploitable. The %n specifier results in the following error message: $ perl -e 'sprintf("%n")' Modification of a read-only value attempted at -e line 1. Using a thousand %p's results in the same address (presumably of the temporary char *) over and over again It is possible to memory starve webmin with a long %9999999999d string, but arbitrary memory writes seem to be out of the question. What version of perl was used by the third-party to exploit this? -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/