Major PERL vulnerablity?!?
Results 1 to 2 of 2

Thread: Major PERL vulnerablity?!?

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    344

    Major PERL vulnerablity?!?

    hey guys i found this article yesterday and i dont quite understand it. I am relatively new to PERL programming, and i dont understand what the big issue is. I mean it sounds very serious, but i dont get how someone can just commandeer a system running a vulnerable Perl application... anyways, if anyone has any comments, or can clear stuff up for me, that would be much appriciated. Thanks in advance!

    The Perl Foundation has toned down a warning on a type of vulnerability commonly found in applications written in the Perl programming language.
    Two weeks after experts sounded an alarm on so-called "format string flaws" in Perl applications, changes have been made to Perl. These updates ensure that such flaws can't be used as a conduit to run malicious code on target systems, Andy Lester, a spokesman for the Perl Foundation and co-author of the book "Pro Perl Debugging," said on Thursday.

    Perl is a popular open-source programming language that's widely used for Web applications, often on servers that run the Linux operating system. Format strings are a way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly.

    It was always thought that format string vulnerabilities in Perl applications could lead only to denial-of-service attacks. However, late last month experts cautioned that an attacker could exploit a format string flaw to commandeer a system running a vulnerable Perl application.

    That problem occurred because of a perfect storm of two separate security issues, Lester explained. One dealt with a Perl system logging module called "Sys::Syslog," another with the often used "printf" function that formats text, he said.

    'Very weird integer overflow'
    There was an legitimate security vulnerability in printf, but the problem with Sys:Syslog occurred because of a development error by Webmin, Lester said. Webmin is a popular Web-based administration utility written in Perl.

    "Webmin accepts format strings from the outside world, which is normally just a denial of service. But because of the printf problem, a very weird integer overflow in Perl, an attacker could own the box," Lester said.

    On Nov. 29, Dyad Security warned that an attacker could gain full control of a computer running a vulnerable version of Webmin because of a format string vulnerability in the application.

    The developers of Perl released an updated Sys::Syslog module over the weekend and provided a patch for the printf flaw on Wednesday.

    The updated logging module prevents the coding problem found in Webmin of passing format strings to the "syslog()" function when the programmer does not realize that it acts as a proxy for sprintf, Lester said.

    "The Webmin mistake is one that other people could make too," Lester said. "We updated Sys::Syslog so that other people making this mistake don't risk the same denial-of-service attack or worse." In such a denial-of-service attack a system will crash, but not give a remote attacker full access.

    The sprintf bug fixes the problem that could cause a buffer overflow and unlock a vulnerable system for an attacker. "Perl's sprintf had a very arcane bug in it," Lester said. "Typically in Perl you don't have to worry about buffer overruns."

    Perl users are urged to upgrade to the latest version immediately. Other applications may be vulnerable and put systems at risk of attack, Lester said. "It is entirely possible that others have made the same mistakes Webmin has. Web applications can be insecure if they allow unchecked data from the outside world," he said.

    With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems. Experts have warned that with the disclosure of the Webmin bug, attackers might be looking for other vulnerable Perl applications.
    The Perl Foundation has toned down a warning on a type of vulnerability commonly found in applications written in the Perl programming language.
    Two weeks after experts sounded an alarm on so-called "format string flaws" in Perl applications, changes have been made to Perl. These updates ensure that such flaws can't be used as a conduit to run malicious code on target systems, Andy Lester, a spokesman for the Perl Foundation and co-author of the book "Pro Perl Debugging," said on Thursday.

    Perl is a popular open-source programming language that's widely used for Web applications, often on servers that run the Linux operating system. Format strings are a way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly.

    It was always thought that format string vulnerabilities in Perl applications could lead only to denial-of-service attacks. However, late last month experts cautioned that an attacker could exploit a format string flaw to commandeer a system running a vulnerable Perl application.

    That problem occurred because of a perfect storm of two separate security issues, Lester explained. One dealt with a Perl system logging module called "Sys::Syslog," another with the often used "printf" function that formats text, he said.

    'Very weird integer overflow'
    There was an legitimate security vulnerability in printf, but the problem with Sys:Syslog occurred because of a development error by Webmin, Lester said. Webmin is a popular Web-based administration utility written in Perl.

    "Webmin accepts format strings from the outside world, which is normally just a denial of service. But because of the printf problem, a very weird integer overflow in Perl, an attacker could own the box," Lester said.

    On Nov. 29, Dyad Security warned that an attacker could gain full control of a computer running a vulnerable version of Webmin because of a format string vulnerability in the application.

    The developers of Perl released an updated Sys::Syslog module over the weekend and provided a patch for the printf flaw on Wednesday.

    The updated logging module prevents the coding problem found in Webmin of passing format strings to the "syslog()" function when the programmer does not realize that it acts as a proxy for sprintf, Lester said.

    "The Webmin mistake is one that other people could make too," Lester said. "We updated Sys::Syslog so that other people making this mistake don't risk the same denial-of-service attack or worse." In such a denial-of-service attack a system will crash, but not give a remote attacker full access.

    In other news:
    Merging the laptop with a cell phone
    Theater owners think digital
    Video: Shedding light on Flickr
    Photos: Seeking life forms in icy waters
    Commodore catches a second wind
    The sprintf bug fixes the problem that could cause a buffer overflow and unlock a vulnerable system for an attacker. "Perl's sprintf had a very arcane bug in it," Lester said. "Typically in Perl you don't have to worry about buffer overruns."

    Perl users are urged to upgrade to the latest version immediately. Other applications may be vulnerable and put systems at risk of attack, Lester said. "It is entirely possible that others have made the same mistakes Webmin has. Web applications can be insecure if they allow unchecked data from the outside world," he said.

    With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems. Experts have warned that with the disclosure of the Webmin bug, attackers might be looking for other vulnerable Perl applications.

    http://news.com.com/Warning+toned+do...3-5997378.html
    EDIT--
    just found a similar thread... http://www.antionline.com/showthread...hreadid=253123 anyways wierd its been a year and CNET is just picking up on it? I am still slightly confused, so if someone wants to help me out that would be great. thanks!
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  2. #2
    Junior Member
    Join Date
    Jan 2006
    Posts
    5
    White_Eskimo,

    It isn't a huge deal, but it still is a vulnerability that should be patched. Overflow vulnerabilities like this come up from time to time (see Microsoft WMF Vulnerability). In this situation, it seems that you can avoid the issue all together if you follow the safe programming practice of validating all user input before passing it straight to library functions.

    When overflow vulnerabilities come up like this, the media (and even security writers) talk about how hackers can take over and/or control a machine through the vulnerability. However, most of the time it isn't as easy as they make it sound. It still takes a knowledable programmer to exploit the vulnerability to take over a machine.

    To learn about some of the techniques that programmers use to write these exploits, check out some of these AO tutorials on buffer overflows:
    Heap-Based Overflows written by frostedegg
    How A Buffer Overflow Works: Part I written by Nokia
    How A Buffer Overflow Works: Part II written by Nokia

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •