The log function in Perl's Net::Server module (used by postgrey, among other tools) is vulnerable to format string attacks. However, it is not clear what the exact impact of this is in a Perl environment.
778555738d428bd2a4087fa2b5c8d98b4df893c1bcdcc2f5c4e68e53bd7634faHi,
Module: Net::Server
Affected version: 0.87 and probably below
Latest available version: 0.87 from 14. Feb 2004
URL: <http://search.cpan.org/~bbb/Net-Server-0.87/>
during investigating a remote DoS against postgrey <= 1.18 (1.21 is already
available now!) it was found with help of David Schweikert and Stefan
Schmidt that the "log" function in Net::Server Perl module is not safe
against format string vulnerability.
See also thread on postgrey mailing list:
<http://lists.ee.ethz.ch/postgrey/msg00627.html>
Note that the "log" function itself isn't documentated at all in the
Server.pm, but at least used by "postgrey" (and probably by other software,
too).
The syslog call in function log is implemented like following:
### log only to syslog if setup to do syslog
if( $prop->{log_file} eq 'Sys::Syslog' ){
$level = $level!~/^\d+$/ ? $level : $Net::Server::syslog_map->{$level} ;
Sys::Syslog::syslog($level,@_); <---!!!!!!
return;
}
Sys::Syslog tells how to use function "syslog":
syslog $priority, $format, @args
If $priority permits, logs ($format, @args) printed as by
"printf(3V)", with the addition that %m is replaced with "$!"
(the
latest error message).
Unfortunately, the function "log" of Net::Server put now the first given
log argument into "syslog" function as format string, and the others as
arguments.
I do not believe this was the intention of the programmer(s) of
Net::Server, because during a quick code check I do not found any piece of
code like
$self->log(0,$formatstring, $string)
at all, only
$self->log(0,$string)
Also the "write_to_log_hook" (in case of file is used as log channel) do
not interpret first string token as format string at all (and uses btw only
one string argument for printing, not more).
So I think this is more a mistake that a feature...a time bomb as we see
now :((
I do not have the time to investigate which network related programs uses
the "log" function of Net::Server (at least "postgrey" does). But I think
it would be important to look for them and check them.
As a workaround, programs using "log" of Net::Server can replace a single
"%" by "%%", but only in case of syslog is used...
Probably (untested) solution would be to fix the syslog calling code in
Net::Server from
Sys::Syslog::syslog($level,@_);
to e.g.
Sys::Syslog::syslog($level,"%s", $_[0]);
(hopefully I'm right...it's untested)
Possible impact of such fix: programs which call "log" of Net::Server with
format string in first log argument will break. But this would already
break logging into a file if I understand the "write_to_log_hook" code.
Hope this helps,
Dr. Peter Bieringer
--
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Straße 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn E-Mail: pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed