...
An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter , or cause a denial of service. She can also modify values, perhaps by using the %n||
conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005], ; nonetheless the danger is sufficiently great that the formatted output functions {{sprintf()
and printf()
should never be passed unsanitized format strings.
...
This noncompliant code example tries to authenticate a user by having them supply the user supply a password , and only granting them access if only if the password is correct.
Code Block | ||||
---|---|---|---|---|
| ||||
my $host = `hostname`; chop($host); my $prompt = "$ENV{USER}\@$host"; sub validate_password { my ($prompt, $password) = @_; my $is_ok = ($password eq "goodpass"); printf "$prompt: Password ok? %d\n", $is_ok; return $is_ok; }; my $host = `hostname`; chop($host); my $prompt = "$ENV{USER}\@$host"; if (validate_password( $prompt, $ARGV[0])) { print "$prompt: access granted\n"; } else { print "$prompt: access denied\n"; }; |
The program works as expected as long as the username user name and hostname host name are benign:
Code Block |
---|
user@host:~$ ./authenticate.pl goodpass user@host: Password ok? 1 user@host: access granted user@host:~$ ./authenticate.pl badpass user@host: Password ok? 0 user@host: access denied user@host:~$ |
However, the program can be foiled by a malicious usernameuser name:
Code Block |
---|
user@host:~$ env USER=user%n ./authenticate.pl badpass user%n@host: Password ok? 0 user%n@host: access granted user@host:~$ |
In this invocation, the malicious username user name user%n
was incomprorated incorporated into the $prompt
string. When fed to the printf()
call inside validate_password()
, the %n
instructed Perl to fill the first format string argument with the number of characters printed. This , which caused Perl to set the $is_ok
variable to 4. Since it is now nonzero, the program incorrectly grants access to the user.
...
This compliant solution avoids the use of printf()
, since print()
provides sufficient functionality.
Code Block | ||||
---|---|---|---|---|
| ||||
sub validate_password {
my ($prompt, $password) = @_;
my $is_ok = ($password eq "goodpass");
print "$prompt: Password ok? $is_ok\n";
return $is_ok;
};
# ...
|
...
Automated Detection
Perl's Taint taint mode provides partial detection of unsanitized input in format strings.
Perl's warnings can detect if a call to printf()
or sprintf()
contains the wrong number of format string arguments.
Tool | Diagnostic |
---|---|
Warnings | Missing argument in .*printf |
Taint mode | Insecure dependency in .*printf |
Related Guidelines
...
...
...
...
...
...
...
Bibliography
...
...
Chapter 6, "Formatted Output" |
...
...
01. Input Validation and Data Sanitization EXP30-PL. Do not use deprecated or obsolete functions