December 15, 2005 4:28 PM PST

Warning toned down on Perl app flaws

The Perl Foundation has toned down a warning on a type of vulnerability commonly found in applications written in the Perl programming language.

Two weeks after experts sounded an alarm on so-called "format string flaws" in Perl applications, changes have been made to Perl. These updates ensure that such flaws can't be used as a conduit to run malicious code on target systems, Andy Lester, a spokesman for the Perl Foundation and co-author of the book "Pro Perl Debugging," said on Thursday.

Perl is a popular open-source programming language that's widely used for Web applications, often on servers that run the Linux operating system. Format strings are a way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly.

It was always thought that format string vulnerabilities in Perl applications could lead only to denial-of-service attacks. However, late last month experts cautioned that an attacker could exploit a format string flaw to commandeer a system running a vulnerable Perl application.

That problem occurred because of a perfect storm of two separate security issues, Lester explained. One dealt with a Perl system logging module called "Sys::Syslog," another with the often used "printf" function that formats text, he said.

'Very weird integer overflow'
There was an legitimate security vulnerability in printf, but the problem with Sys:Syslog occurred because of a development error by Webmin, Lester said. Webmin is a popular Web-based administration utility written in Perl.

"Webmin accepts format strings from the outside world, which is normally just a denial of service. But because of the printf problem, a very weird integer overflow in Perl, an attacker could own the box," Lester said.

On Nov. 29, Dyad Security warned that an attacker could gain full control of a computer running a vulnerable version of Webmin because of a format string vulnerability in the application.

The developers of Perl released an updated Sys::Syslog module over the weekend and provided a patch for the printf flaw on Wednesday.

The updated logging module prevents the coding problem found in Webmin of passing format strings to the "syslog()" function when the programmer does not realize that it acts as a proxy for sprintf, Lester said.

"The Webmin mistake is one that other people could make too," Lester said. "We updated Sys::Syslog so that other people making this mistake don't risk the same denial-of-service attack or worse." In such a denial-of-service attack a system will crash, but not give a remote attacker full access.

The sprintf bug fixes the problem that could cause a buffer overflow and unlock a vulnerable system for an attacker. "Perl's sprintf had a very arcane bug in it," Lester said. "Typically in Perl you don't have to worry about buffer overruns."

Perl users are urged to upgrade to the latest version immediately. Other applications may be vulnerable and put systems at risk of attack, Lester said. "It is entirely possible that others have made the same mistakes Webmin has. Web applications can be insecure if they allow unchecked data from the outside world," he said.

With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems. Experts have warned that with the disclosure of the Webmin bug, attackers might be looking for other vulnerable Perl applications.

2 comments

Join the conversation!
Add your comment
Wow
Perl & Webmin on News.com - so after all that FLOSS thing is now official.

Flaw is truely minor. Most Perl network applications use so-called "tainted mode" of Perl which makes it an error to call OS with raw data received from outside (user supplied data, file content, URL, etc). Application has to parse and verify data first - only then use them. If you forgot to do that, Perl will happily report error.

Seems like Webmin do not use that security option.
Posted by Philips (400 comments )
Reply Link Flag
Taint mode
You're right, taint mode is a great feature of Perl.

Unfortunately, taint mode wouldn't have helped here. sprintf() doesn't check for tainted format strings.
Posted by petdance (1 comment )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.