lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Dec  4 07:48:05 2005
From: umphress at gmail.com (Chris Umphress)
Subject: Format String Vulnerabilities in Perl Programs

On 12/2/05, Steven M. Christey <coley@...re.org> wrote:
>
> *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
> Format String Vulnerabilities in Perl Programs
> *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

Almost all of the statements refer to a number of programming
languages if thought is not put into the program. Security requires
thought. A program that is not thought out will not be secure, and the
language it is written in cannot protect against this. Anyhow, I get
ahead of myself.

>    The possibility of CRLF injection was theorized, but a casual
>    investigation was not successful.

\r\n ?? \x0d\x0a ??

> **********************************************************************
> 4. Some Discussion on Format Strings and the Taint Checker
> **********************************************************************
>
> In 5.004:
>
>    The taint checker apparently does not flag filenames as tainted
>    (e.g. as obtained from the readdir() function).  Presumably, other
>    types of "indirect input" may not be tainted.  However, it does
>    identify more direct sources of input such as stdin and environment
>    variables.

It shouldn't have to. As Linus Torvalds says -- You should think
through your code rather than expecting a tool to find the problem for
you [1].

> Notes on Detecting Vulnerabilities in Source Code
> -------------------------------------------------
>
> Detection of suspicious code is slightly more difficult than it is for
> C code.  Constant strings can contain Perl entities such as variables
> or references, which are inserted into the string before it is passed
> to printf/sprintf.
>
>   $fmt = <USER_INPUT>;
>   printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n");

That is probably the closest thing to a feasible mistake for someone
who is thinking about the code they are writing (IMO). If you aren't
performing a string insertion of some kind, "print" is far better.
While I do understand the argument to some degree, "print" is the most
common way to display text (from my own experience, "print" usage is
much more common in scripting languages than printf).


[1] Linus Torvalds, Linux Kernel Mailing List, Mar 19 2000,
http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/0939.html

--
Chris Umphress <http://daga.dyndns.org/>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ