The Perl Foundation has toned down a warning on a type of vulnerability commonly found in applications written in the Perl programming language.
Two weeks after experts sounded an alarm on so-called "format string flaws" in Perl applications, changes have been made to Perl. These updates ensure that such flaws can't be used as a conduit to run malicious code on target systems, Andy Lester, a spokesman for the Perl Foundation and co-author of the book "Pro Perl Debugging," said on Thursday.
Perl is a popular open-source programming language that's widely used for Web applications, often on servers that run the Linux operating system. Format strings are a way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly.
It was always thought that format string vulnerabilities in Perl applications could lead only to denial-of-service attacks. However, late last month experts cautioned that an attacker could exploit a format string flaw to commandeer a system running a vulnerable Perl application.
That problem occurred because of a perfect storm of two separate security issues, Lester explained. One dealt with a Perl system logging module called "Sys::Syslog," another with the often used "printf" function that formats text, he said.
'Very weird integer overflow' There was an legitimate security vulnerability in printf, but the problem with Sys:Syslog occurred because of a development error by Webmin, Lester said. Webmin is a popular Web-based administration utility written in Perl.
"Webmin accepts format strings from the outside world, which is normally just a denial of service. But because of the printf problem, a very weird integer overflow in Perl, an attacker could own the box," Lester said.
The updated logging module prevents the coding problem found in Webmin of passing format strings to the "syslog()" function when the programmer does not realize that it acts as a proxy for sprintf, Lester said.
"The Webmin mistake is one that other people could make too," Lester said. "We updated Sys::Syslog so that other people making this mistake don't risk the same denial-of-service attack or worse." In such a denial-of-service attack a system will crash, but not give a remote attacker full access.
The sprintf bug fixes the problem that could cause a buffer overflow and unlock a vulnerable system for an attacker. "Perl's sprintf had a very arcane bug in it," Lester said. "Typically in Perl you don't have to worry about buffer overruns."
Perl users are urged to upgrade to the latest version immediately. Other applications may be vulnerable and put systems at risk of attack, Lester said. "It is entirely possible that others have made the same mistakes Webmin has. Web applications can be insecure if they allow unchecked data from the outside world," he said.
With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems. Experts have warned that with the disclosure of the Webmin bug, attackers might be looking for other vulnerable Perl applications.
Perl & Webmin on News.com - so after all that FLOSS thing is now official.
Flaw is truely minor. Most Perl network applications use so-called "tainted mode" of Perl which makes it an error to call OS with raw data received from outside (user supplied data, file content, URL, etc). Application has to parse and verify data first - only then use them. If you forgot to do that, Perl will happily report error.
Seems like Webmin do not use that security option.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Flaw is truely minor. Most Perl network applications use so-called "tainted mode" of Perl which makes it an error to call OS with raw data received from outside (user supplied data, file content, URL, etc). Application has to parse and verify data first - only then use them. If you forgot to do that, Perl will happily report error.
Seems like Webmin do not use that security option.
Unfortunately, taint mode wouldn't have helped here. sprintf() doesn't check for tainted format strings.