November 29, 2005 5:45 PM PST

Danger level rises for Perl app flaws

Related Stories

Antivirus insecurity at Black Hat confab

July 27, 2005
A type of security flaw in Perl applications that experts thought could lead only to a denial-of-service attack is now believed to be much more serious.

Dyad Security on Tuesday warned of a so-called "format string vulnerability" in Webmin, a Web-based administration utility written in Perl. An attacker could gain complete control over a server running the vulnerable software by exploiting this "new class" of flaw, the security research company said in an advisory.

"If remote code execution is successful, it would lead to a full remote root compromise in a standard configuration," according to the advisory.

Format string vulnerabilities are not new, but experts previously thought such flaws in applications written in Perl could not be used to remotely run code on a target system, experts from Symantec and eEye Digital Security said.

Such attacks have been possible via format string bugs if the application in question was coded in a lower-level programming language, such as C, according to Symantec.

"This is potentially the first in a new breed of format string vulnerabilities," said Oliver Friedrichs, the senior manager at Symantec Security Response. "Previously this was thought to be just a denial-of-service attack. Now that it is found to be exploitable, that increases the value substantially. Attackers are certainly going to start looking for them."

Perl, a popular scripting language, is widely used for Web applications, often on servers that run the Linux operating system. With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems.

"Given the focus on Web applications in general, this format string vulnerability exploitability adds another tool to the chest of attackers," said Steve Manzuik, the security product manager at eEye in Aliso Viejo, Calif. "Web servers are a good target because of a lot of Perl scripts would be available to anonymous, remote users."

Symantec and eEye have not been able to independently validate the claims by Dyad, which are backed up by security vendor Immunity. Symantec believes the claims to be true, while eEye's Manzuik isn't sure yet. "I normally take it with a grain of salt until I actually see some proof. If it turns out to be legitimate, it would be a very serious issue," he said.

To protect their systems, users of Webmin first and foremost should upgrade to the latest version of the utility, Friedrichs said. "In the longer term, you want to make sure that you are using format strings correctly in your applications," he said.

Format strings are the way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly. That could enable an attacker to read and write to memory on the system running the application, resulting in the execution of code of the attacker's choice.

It is too early to tell what the full impact of the broader scope of the format string vulnerabilities will be, Friedrichs said. "The concerning part of this is that this is (Webmin flaw) really the first in a potential growing number of format string vulnerabilities that we may see," he said.

One way that the problem may be addressed is by Perl developers, who may address the issue of format string vulnerabilities in Perl itself, Friedrichs said.

3 comments

Join the conversation!
Add your comment
Not a Perl flaw
This is not a Perl flaw, this is a flaw in webmin. Please, for the love of all that is good, get it right! Poor code can be written in any language, and webmin is poor code. I know, I have to work with it on a daily basis, and it's sloppy code written to Perl 4 standards, much of it written by people whom I would call "web programmers" rather than experienced Perl developers.
Posted by converter42 (10 comments )
Reply Link Flag
Amen
I saw that too and thought it was something more serious...certainly not deserving of a headline. I would say 75% of web applications have high security risks, so this is nothing new.
Posted by Kindred_ (10 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.