Full Disclosure mailing list archives
Re: Format String Vulnerabilities in Perl Programs
From: Chris Umphress <umphress () gmail com>
Date: Sat, 3 Dec 2005 23:47:56 -0800
On 12/2/05, Steven M. Christey <coley () mitre org> wrote:
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* Format String Vulnerabilities in Perl Programs *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Almost all of the statements refer to a number of programming languages if thought is not put into the program. Security requires thought. A program that is not thought out will not be secure, and the language it is written in cannot protect against this. Anyhow, I get ahead of myself.
The possibility of CRLF injection was theorized, but a casual investigation was not successful.
\r\n ?? \x0d\x0a ??
********************************************************************** 4. Some Discussion on Format Strings and the Taint Checker ********************************************************************** In 5.004: The taint checker apparently does not flag filenames as tainted (e.g. as obtained from the readdir() function). Presumably, other types of "indirect input" may not be tainted. However, it does identify more direct sources of input such as stdin and environment variables.
It shouldn't have to. As Linus Torvalds says -- You should think through your code rather than expecting a tool to find the problem for you [1].
Notes on Detecting Vulnerabilities in Source Code ------------------------------------------------- Detection of suspicious code is slightly more difficult than it is for C code. Constant strings can contain Perl entities such as variables or references, which are inserted into the string before it is passed to printf/sprintf. $fmt = <USER_INPUT>; printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n");
That is probably the closest thing to a feasible mistake for someone who is thinking about the code they are writing (IMO). If you aren't performing a string insertion of some kind, "print" is far better. While I do understand the argument to some degree, "print" is the most common way to display text (from my own experience, "print" usage is much more common in scripting languages than printf). [1] Linus Torvalds, Linux Kernel Mailing List, Mar 19 2000, http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/0939.html -- Chris Umphress <http://daga.dyndns.org/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 02)
- Re: Format String Vulnerabilities in Perl Programs Michael J. Pomraning (Dec 03)
- Re: Re: Format String Vulnerabilities in Perl Programs Stan Bubrouski (Dec 03)
- Re: Re: Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 04)
- Re: Re: Format String Vulnerabilities in Perl Programs Stan Bubrouski (Dec 03)
- Re: Format String Vulnerabilities in Perl Programs Chris Umphress (Dec 03)
- Re: Format String Vulnerabilities in Perl Programs Steven M. Christey (Dec 04)
- Re: Format String Vulnerabilities in Perl Programs Michael J. Pomraning (Dec 03)