Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter , or cause a denial of service. She can also modify values, perhaps by using the %n|| conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005]; nonetheless the danger is sufficiently great that the formatted output functions {{sprintf() and printf() should never be passed unsanitized format strings.

...

Code Block
bgColor#ffcccc
langperl
my $host = `hostname`;
chop($host);
my $prompt = "$ENV{USER}\@$host";

sub validate_password {
  my ($prompt, $password) = @_;
  my $is_ok = ($password eq "goodpass");
  printf "$prompt: Password ok? %d\n", $is_ok;
  return $is_ok;
};

my $host = `hostname`;
chop($host);
my $prompt = "$ENV{USER}\@$host";
if (validate_password( $prompt, $ARGV[0])) {
  print "$prompt: access granted\n";
} else {
  print "$prompt: access denied\n";
};

The program works as expected as long as the user name and host name are benign:

...

In this invocation, the malicious user name user%n was incomprorated incorporated into the $prompt string. When fed to the printf() call inside validate_password(), the %n instructed Perl to fill the first format string argument with the number of characters printed. This , which caused Perl to set the $is_ok variable to 4. Since it is now nonzero, the program incorrectly grants access to the user.

...

Code Block
bgColor#ccccff
langperl
sub validate_password {
  my ($prompt, $password) = @_;
  my $is_ok = ($password eq "goodpass");
  print "$prompt: Password ok? $is_ok\n";
  return $is_ok;
};

# ...

...

Automated Detection

Perl's Taint taint mode provides partial detection of unsanitized input in format strings.

Perl's warnings can detect if a call to printf() or sprintf() contains the wrong number of format string arguments.

Tool

Diagnostic

 Warnings

Missing argument in .*printf

Taint modeInsecure dependency in .*printf

Related Guidelines

...

...

...

...

...

...

...

CWE-134, "Uncontrolled format string"

Bibliography

...

...

...

 

...

Image Added Image Added Image Added01. Input Validation and Data Sanitization    01. Input Validation and Data Sanitization     02. Declarations and Initialization