<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//DE"><HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><TITLE>Message</TITLE></HEAD><BODY>Hello!<br>
I succeeded in crashing webmin 1.230 with:<br>
<br>
username %n<br>
password aaaa<br>
<br>
after klicking 4 times on "Login" webmin was dead.<br>
There were no logs at all, and no error was shown in the web interface...<br>
Any idea if it's really exploitable (executing code I mean)? Is anyone working on a POC?<br>
<br>
giarc@freeet.de<br>
<br>
<br>
Original message: ---------------------------------------------------------<br>
<br>
<br>
To: full-disclosure@lists.grok.org.uk<br>
Date: Tue, 29 Nov 2005 11:15:20 -0600<br>
<br>
On Tuesday 29 November 2005 04:07, advisory@dyadsecurity.com wrote:<br>
> [snip ] so so if remote code execution is successful, it would<br>
> lead to a full remote root compromise in a standard configuration.<br>
<br>
> DESCRIPTION. The username parameter of the login form is logged via<br>
> the perl `syslog' facility in an unsafe manner during a unknown user<br>
> login attempt. the perl syslog facility passes the username on to the<br>
> variable argument function sprintf that will treat any format<br>
> specifiers and process them accordingly.<br>
><br>
> DETAILS. The vectors for a simple DoS of the web server are to use the<br>
> %n and %0(large number)d inside of the username parameter, with the<br>
> former causing a write protection fault within perl leading to script<br>
> abortion, and the latter causing a large amount of memory to be<br>
> allocated inside of the perl process.<br>
<br>
Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7<br>
and don't see how this can be exploitable. The %n specifier results in<br>
the following error message:<br>
<br>
$ perl -e 'sprintf("%n")'<br>
Modification of a read-only value attempted at -e line 1.<br>
<br>
Using a thousand %p's results in the same address (presumably of the<br>
temporary char *) over and over again<br>
<br>
It is possible to memory starve webmin with a long %9999999999d string,<br>
but arbitrary memory writes seem to be out of the question.<br>
What version of perl was used by the third-party to exploit this?<br>
<br>
</BODY></HTML>