[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f29b8940512032347j19a272dftbdd9b79b0d639d57@mail.gmail.com>
Date: Sun Dec 4 07:48:05 2005
From: umphress at gmail.com (Chris Umphress)
Subject: Format String Vulnerabilities in Perl Programs
On 12/2/05, Steven M. Christey <coley@...re.org> wrote:
>
> *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
> Format String Vulnerabilities in Perl Programs
> *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
Almost all of the statements refer to a number of programming
languages if thought is not put into the program. Security requires
thought. A program that is not thought out will not be secure, and the
language it is written in cannot protect against this. Anyhow, I get
ahead of myself.
> The possibility of CRLF injection was theorized, but a casual
> investigation was not successful.
\r\n ?? \x0d\x0a ??
> **********************************************************************
> 4. Some Discussion on Format Strings and the Taint Checker
> **********************************************************************
>
> In 5.004:
>
> The taint checker apparently does not flag filenames as tainted
> (e.g. as obtained from the readdir() function). Presumably, other
> types of "indirect input" may not be tainted. However, it does
> identify more direct sources of input such as stdin and environment
> variables.
It shouldn't have to. As Linus Torvalds says -- You should think
through your code rather than expecting a tool to find the problem for
you [1].
> Notes on Detecting Vulnerabilities in Source Code
> -------------------------------------------------
>
> Detection of suspicious code is slightly more difficult than it is for
> C code. Constant strings can contain Perl entities such as variables
> or references, which are inserted into the string before it is passed
> to printf/sprintf.
>
> $fmt = <USER_INPUT>;
> printf("THIS IS A POTENTIALLY VULNERABLE $fmt FORMAT STRING\n");
That is probably the closest thing to a feasible mistake for someone
who is thinking about the code they are writing (IMO). If you aren't
performing a string insertion of some kind, "print" is far better.
While I do understand the argument to some degree, "print" is the most
common way to display text (from my own experience, "print" usage is
much more common in scripting languages than printf).
[1] Linus Torvalds, Linux Kernel Mailing List, Mar 19 2000,
http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/0939.html
--
Chris Umphress <http://daga.dyndns.org/>
Powered by blists - more mailing lists