Hi,

Module: Net::Server
Affected version: 0.87 and probably below
Latest available version: 0.87 from 14. Feb 2004
URL: <http://search.cpan.org/~bbb/Net-Server-0.87/> 

during investigating a remote DoS against postgrey <= 1.18 (1.21 is already
available now!) it was found with help of David Schweikert and Stefan
Schmidt that the "log" function in Net::Server Perl module is not safe
against format string vulnerability.

See also thread on postgrey mailing list:
 <http://lists.ee.ethz.ch/postgrey/msg00627.html>


Note that the "log" function itself isn't documentated at all in the
Server.pm, but at least used by "postgrey" (and probably by other software,
too).

The syslog call in function log is implemented like following:

  ### log only to syslog if setup to do syslog
  if( $prop->{log_file} eq 'Sys::Syslog' ){
    $level = $level!~/^\d+$/ ? $level : $Net::Server::syslog_map->{$level} ;
    Sys::Syslog::syslog($level,@_);   <---!!!!!!
    return;
  }


Sys::Syslog tells how to use function "syslog":

       syslog $priority, $format, @args
           If $priority permits, logs ($format, @args) printed as by
           "printf(3V)", with the addition that %m is replaced with "$!"
(the
           latest error message).


Unfortunately, the function "log" of Net::Server put now the first given
log argument into "syslog" function as format string, and the others as
arguments.

I do not believe this was the intention of the programmer(s) of
Net::Server, because during a quick code check I do not found any piece of
code like
          $self->log(0,$formatstring, $string)
at all, only
          $self->log(0,$string)


Also the "write_to_log_hook" (in case of file is used as log channel) do
not interpret first string token as format string at all (and uses btw only
one string argument for printing, not more).

So I think this is more a mistake that a feature...a time bomb as we see
now :((


I do not have the time to investigate which network related programs uses
the "log" function of Net::Server (at least "postgrey" does). But I think
it would be important to look for them and check them.

As a workaround, programs using "log" of Net::Server can replace a single
"%" by "%%", but only in case of syslog is used...

Probably (untested) solution would be to fix the syslog calling code in
Net::Server from
    Sys::Syslog::syslog($level,@_);
to e.g.
    Sys::Syslog::syslog($level,"%s", $_[0]);
  (hopefully I'm right...it's untested)


Possible impact of such fix: programs which call "log" of Net::Server with
format string in first log argument will break. But this would already
break logging into a file if I understand the "write_to_log_hook" code.

Hope this helps,

        Dr. Peter Bieringer
-- 
Dr. Peter Bieringer                             Phone: +49-8102-895190
AERAsec Network Services and Security GmbH        Fax: +49-8102-895199
Wagenberger Straße 1                           Mobile: +49-174-9015046
D-85662 Hohenbrunn                       E-Mail: pbieringer@aerasec.de
Germany                                Internet: http://www.aerasec.de



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/