Never call any formatted I/O function with a format string containing user input.
An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter, or cause a denial of service. She can also modify values, perhaps by using the %n|| conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005], nonetheless the danger is sufficiently great that the formatted output functions {{sprintf()
and printf()
should never be passed unsanitized format strings.
Noncompliant Code Example
This noncompliant code example tries to authenticate a user by having them supply a password, and only granting them access if the password is correct.
sub validate_password { my ($prompt, $password) = @_; my $is_ok = ($password eq "goodpass"); printf "$prompt: Password ok? %d\n", $is_ok; return $is_ok; }; my $host = `hostname`; chop($host); my $prompt = "$ENV{USER}\@$host"; if (validate_password( $prompt, $ARGV[0])) { print "$prompt: access granted\n"; } else { print "$prompt: access denied\n"; };
The program works as expected as long as the username and hostname are benign:
user@host:~$ ./authenticate.pl goodpass user@host: Password ok? 1 user@host: access granted user@host:~$ ./authenticate.pl badpass user@host: Password ok? 0 user@host: access denied user@host:~$
However, the program can be foiled by a malicious username:
user@host:~$ env USER=user%n ./authenticate.pl badpass user%n@host: Password ok? 0 user%n@host: access granted user@host:~$
In this invocation, the malicious username user%n
was incomprorated into the $prompt
string. When fed to the printf()
call inside validate_password()
, the %n
instructed Perl to fill the first format string argument with the number of characters printed. This caused Perl to set the $is_ok
variable to 4. Since it is now nonzero, the program incorrectly grants access to the user.
Compliant Solution (print()
)
This compliant solution avoids the use of printf()
since print()
provides sufficient functionality.
sub validate_password { my ($prompt, $password) = @_; my $is_ok = ($password eq "goodpass"); print "$prompt: Password ok? $is_ok\n"; return $is_ok; }; # ...
Risk Assessment
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS30-PL | high | probable | low | P18 | L1 |
Automated Detection
Perl's Taint mode provides partial detection of unsanitized input in format strings.
Perl's warnings can detect if a call to printf()
or sprintf()
contains the wrong number of format string arguments.
Related Guidelines
CERT C Secure Coding Standard: FIO30-C. Exclude user input from format strings
CERT C++ Secure Coding Standard: FIO30-CPP. Exclude user input from format strings
The CERT Oracle Secure Coding Standard for Java: IDS06-J. Exclude user input from format strings
http://cwe.mitre.org/: http://cwe.mitre.org/data/definitions/134.html, "Uncontrolled Format String"
Bibliography
Full-disclosure: Christey, Steven M. Format String Vulnerabilities in Perl Programs Fri Dec 02 2005 - 02:56:14 CST
[Seacord 2005]] Chapter 6, Formatted Output
US-CERT Vulnerability Note VU#948385
[Wall 2011] perlfunc
01. Input Validation and Data Sanitization EXP30-PL. Do not use deprecated or obsolete functions