Perl Format String Vulnerability

[John Dalbec]

Does this affect us?

(1) HIGH: Perl Format String Vulnerability
Affected:
Perl versions 5.9.2 and 5.8.6 confirmed; potentially all Perl versions
Webmin version 1.23 and prior

Description: Perl is widely used as a scripting language for a variety
of applications including web-based software. Perl contains a
vulnerability that can be triggered by passing a format specifier of the
form "%INT_MAXn". The vulnerability causes an integer variable in a Perl
function to wrap around (change its parity) that can be exploited to
execute arbitrary code. For instance, "%2147483647n" format specifier
will trigger the flaw in Perl running on 32-bit Operating Systems. Note
that the flaw can be exploited only via Perl-based applications that
contain a format string vulnerability. The discoverers have reportedly
found several applications that are vulnerable.

One of the affected applications is Webmin, a web interface to perform
administrative tasks like server and user configuration. Webmin's web
server miniserv.pl, which runs on port 10000/tcp by default, contains a
format string vulnerability. By passing a username containing a format
specifier, an attacker can exploit the flaw to execute arbitrary code
with possibly root privileges. Immunity, Inc. has made an exploit
available to some of its customers.

Status: Some Linux vendors have released patches. The discoverers have
also released an unofficial patch for version 5.9.2 that is available
at:
http://www.dyadsecurity.com/advisory/perl/perl-5.9.2-exp_parameter_intwrap_vulnerability.

A workaround for the Webmin flaw is to block the traffic to port
10000/tcp at the network perimeter.

Council Site Actions:  Most of the council sites are responding to this
item on some level and plan to install patches as they are made
available.  Several sites have notified their web developers.  One site
requested updates from the 3rd party providers that bundle Perl with
applications in use at their site.  Another site said that they have
several Mandriva Linux systems running Webmin and plan to recommend that
the affected system administrators apply the MDKSA-2005:223 update.
These systems are used by a few dozen users. The remaining council sites
commented they do not use Perl on and of their web servers.

References:
DyadSecurity Advisory
http://www.dyadsecurity.com/perl-0002.html
http://www.dyadsecurity.com/webmin-0001.html
Posting by giarc
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0001.html
Posting by Dave Aitel
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0015.html
Webmin miniserv.pl Documentation
http://www.dyadsecurity.com/webmin-0001.html
Webmin Homepage
http://www.webmin.com
SecurityFocus BID
http://www.securityfocus.com/bid/15629