...
An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter , or cause a denial of service. She can also modify values, perhaps by using the %n|| conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005]; nonetheless the danger is sufficiently great that the formatted output functions {{sprintf() and printf() should never be passed unsanitized format strings.
...
In this invocation, the malicious user name user%n was incomprorated incorporated into the $prompt string. When fed to the printf() call inside validate_password(), the %n instructed Perl to fill the first format string argument with the number of characters printed. This , which caused Perl to set the $is_ok variable to 4. Since it is now nonzero, the program incorrectly grants access to the user.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
sub validate_password {
my ($password) = @_;
my $is_ok = ($password eq "goodpass");
print "$prompt: Password ok? $is_ok\n";
return $is_ok;
};
# ...
|
Risk Assessment
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS30-PL | high | probable | low | P18 | L1 |
Automated Detection
Perl's Taint taint mode provides partial detection of unsanitized input in format strings.
Perl's warnings can detect if a call to printf() or sprintf() contains the wrong number of format string arguments.
Tool | Diagnostic |
|---|---|
Warnings | Missing argument in .*printf |
| Taint mode | Insecure dependency in .*printf |
| Security Reviewer - Static Reviewer | PERL_D90 |
Related Guidelines
...
...
...
...
...
...
...
| CWE-134, "Uncontrolled format string" |
Bibliography
| [Christey 2005] | Format string vulnerabilities in Perl programs |
|---|---|
| [Seacord 2005] | Chapter 6, "Formatted Output" |
| [VU#948385] |
...
...
...