- Related Stories
-
Antivirus insecurity at Black Hat confab
July 27, 2005 -
Linux, Perl get play in growing magazine market
February 15, 2000 -
Hacking hazards come with Web scripting territory
February 4, 2000
Two weeks after experts sounded an alarm on so-called "format string flaws" in Perl applications, changes have been made to Perl. These updates ensure that such flaws can't be used as a conduit to run malicious code on target systems, Andy Lester, a spokesman for the Perl Foundation and co-author of the book "Pro Perl Debugging," said on Thursday.
Perl is a popular open-source programming language that's widely used for Web applications, often on servers that run the Linux operating system. Format strings are a way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly.
It was always thought that format string vulnerabilities in Perl applications could lead only to denial-of-service attacks. However, late last month experts cautioned that an attacker could exploit a format string flaw to commandeer a system running a vulnerable Perl application.
That problem occurred because of a perfect storm of two separate security issues, Lester explained. One dealt with a Perl system logging module called "Sys::Syslog," another with the often used "printf" function that formats text, he said.
'Very weird integer overflow'
There was an legitimate security vulnerability in printf, but the problem with Sys:Syslog occurred because of a development error by Webmin, Lester said. Webmin is a popular Web-based administration utility written in Perl.
"Webmin accepts format strings from the outside world, which is normally just a denial of service. But because of the printf problem, a very weird integer overflow in Perl, an attacker could own the box," Lester said.
On Nov. 29, Dyad Security warned that an attacker could gain full control of a computer running a vulnerable version of Webmin because of a format string vulnerability in the application.
The developers of Perl released an updated Sys::Syslog module over the weekend and provided a patch for the printf flaw on Wednesday.
The updated logging module prevents the coding problem found in Webmin of passing format strings to the "syslog()" function when the programmer does not realize that it acts as a proxy for sprintf, Lester said.
"The Webmin mistake is one that other people could make too," Lester said. "We updated Sys::Syslog so that other people making this mistake don't risk the same denial-of-service attack or worse." In such a denial-of-service attack a system will crash, but not give a remote attacker full access.
The sprintf bug fixes the problem that could cause a buffer overflow and unlock a vulnerable system for an attacker. "Perl's sprintf had a very arcane bug in it," Lester said. "Typically in Perl you don't have to worry about buffer overruns."
Perl users are urged to upgrade to the latest version immediately. Other applications may be vulnerable and put systems at risk of attack, Lester said. "It is entirely possible that others have made the same mistakes Webmin has. Web applications can be insecure if they allow unchecked data from the outside world," he said.
With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems. Experts have warned that with the disclosure of the Webmin bug, attackers might be looking for other vulnerable Perl applications.
See more CNET content tagged:
Perl, attacker, denial of service, string, Web application
Flaw is truely minor. Most Perl network applications use so-called "tainted mode" of Perl which makes it an error to call OS with raw data received from outside (user supplied data, file content, URL, etc). Application has to parse and verify data first - only then use them. If you forgot to do that, Perl will happily report error.
Seems like Webmin do not use that security option.
Unfortunately, taint mode wouldn't have helped here. sprintf() doesn't check for tainted format strings.