New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consultation required on possible Perl security issue #5968
Comments
From coley@linus.mitre.orgHello, I am a computer security researcher. I have recently found some ways However, there is a possibility that there are security-related bugs Because I don't know who is going to see this email, I am omitting The Responsible Vulnerability Disclosure Process guidelines [1] Regards, Steve Christey [1] http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt |
From @schwernOn Tue, Oct 01, 2002 at 03:52:40AM -0000, Steve Christey wrote:
It shouldn't be a big deal to discuss potential security holes on p5p, the To err on the safe side, send your report to the current pumpking Hugo van
-- Michael G. Schwern <schwern@pobox.com> http://www.pobox.com/~schwern/ |
From @rgsSteve Christey (via RT) <perlbug@perl.org> wrote:
I don't include bugs in the taint checker in security bugs -- I mean, |
From coley@linus.mitre.orgHello all, I apologize if my vague email yesterday has caused any problems. I In short, Perl programs can be subjected to certain types of format However: 1) I don't know the Perl "guts" in how it handles format strings, so 2) The Perl taint checker does not flag certain insecure calls early A more detailed writeup is below. It's a rough draft, so I apologize Thanks and regards, [1] http://online.securityfocus.com/guest/3342 *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* Author: Steve Christey Other Credits: Jean-loup Gailly (jloup@gailly.net) independently SYNOPSIS Perl programs that provide user-controlled format strings to sprintf() Many of these behaviors have analogs in C, but since they do not It has been observed that C programmers may use "C style" constructs Perl's taint checker catches the worst of these problems, but not all DETAILS Following are some of the more dangerous/interesting specifiers, along 1) Using the "%n" specifier, the attacker can modify the values of The implications of this problem depend on how the program uses the Consider the following pseudo-code: $input = GetInputFromUser(); If $input is "%10s", then str is formatted with up to 10 spaces 2) The "%s" specifier, and others that allow field widths to be 3) [** this needs exploration **] The "%p" and "%n" specifiers may, in 4) Argument shifting via %p (or %n) [need to come up with a better term, since shift() has meaning in Perl] Any format specifier can alter the intended format of structured Example: $index = GetUserInput(); If $index is "1", then the result might be: 1 2002/10/01 06:58:42 But if $index is "%p", the error condition is not detected (since 130690 10/01/06 58:42:00 Here, not only does the 'index' value exceed the maximum of 32, but 5) Cleansing operations that remove spaces could be tricked by using Here's one example: opendir(DIR, "."); If $file is set to "-R%2ssubdir", then the check for "dangerous system("/bin/cp -R subdir subdir.bak"); [*** note: a more feasible example could probably be created. ***] 6) Is there a way to create a format string that handles a ../ ?? Other Attack Scenarios Some feasible attack scenarios involve Perl programs that generate log - filenames containing format specifiers could alter which files are - IP addresses whose DNS reverse lookup includes format strings Some discussion on format strings and the taint checker In 5.004: The taint checker apparently does not flag filenames as tainted In 5.6.1: Filenames are properly tainted, and the taint checker properly Note that the taint checker does not exit until a *printf-tainted Attacks such as resource consumption and data format modification This is a factor though: "testing" sprintf/printf with normal file See taintcheck.pl for what I tried. Note: the taint checker doesn't complain when system() is called with system("/bin/echo", $tainted_var1, $tainted_var2); The following example properly generates an error from the taint $a = <STDIN>; The following example also generates an error from the taint checker, opendir(DIR, "."); SAMPLE VULNERABLE PROGRAMS An apparently old version of ftplogcheck, used for processing wu-ftpd printf REPORT "$time $host $filesize $filename $name\n"; Result: attackers can hide file activities by using format specifiers perl-nocem - a script that was apparently considered for inclusion in http://www.isc.org/ml-archives/inn-workers/2001/05/msg00177.html The "logmsg" appears to be subject to format string issues when http://www.lns.cornell.edu/~pvhp/perl/mac/scripts/SizeByCreator - seems like a user-only script Needs investigation: http://search.cpan.org/src/JHI/perl-5.8.0/ext/Sys/Syslog/Syslog.pm - the syslog() function uses sprintf() on a "mask" variable; RESOLUTION When writing Perl programs, follow these guidelines. 1) Use constant strings for formatting. 2) Do not use Perl variables in format strings, e.g. "$bad %10s" 3) Run your program with taint checking enabled, which can protect DETECTION Detection of suspicious code is slightly more difficult than it is for $fmt = "%10s"; ************** Sample Vulnerable Programs ************** These programs demonstrate some the problems described above. #!/bin/env perl # when run with taint checking (-T), this seems to properly barf about $ENV{"PATH"} = ""; # try as input: "%s%n%s" --> modifies $b $a = "A"; print "\$a='$a'; \$b='$b'; \$c='$c'\n"; print "$x\n"; system("/bin/echo $a $b $c"); ************** End Sample Vulnerable Program ************** ********* Sample 2 ********** # Create a directory that contains files with these names: # This was gleaned from some real-world code, but the print was # Change what filenames are processed via format strings in opendir(DIR, "."); 2) Misuse of format string in log processing, for which many Perl I've seen several programs that do something like this: printf "A=$a\n" ******** End Sample 2 ************ ********** miscellaneous *********** - I haven't explored all the issues Disclosure History Jun 10, 2002 - Began discovery and investigation of issue; search for *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* #!/bin/env perl # SMC 10/01/02. Test program for the taint checker. # Before running this, create a directory and 'touch' the following $ENV{"PATH"} = "/bin"; if ($ARGV[0] eq "-stdin") |
From coley@linus.mitre.orgHello, A week ago I notified people about the possible issues in Perl's taint Has the Perl development community decided that the taint checker Thanks, |
From @ask[christey - Tue Oct 8 16:10:00 2002]:
Steve, Did this ever get resolved? - ask -- |
From coley@linus.mitre.orgHello,
Well, there is a general question as to whether this should be Perl's I did obtain this statement from one of the developers (unfortunately These issues do not represent a substantial security hole in perl - Steve |
From @ask[christey - Thu May 1 08:00:39 2003]: [...]
Hi Steve, I think it should be okay to discuss on p5p if you didn't already. Please feel free to file a Thanks! - ask -- |
@ask - Status changed from 'new' to 'resolved' |
Migrated from rt.perl.org#17698 (status was 'resolved')
Searchable as RT17698$
The text was updated successfully, but these errors were encountered: