Perl Format Strings

Dyad Security announced a new vulnerability in the Webmin miniserv.pl web server component. The perl is vulnerable to a format string bug, which is mostly unseen in perl and quite common in C programs. The post calls this a “a new class of exploitable (remote code) perl format string“. Shortly after, Steven Christey of CVE posted that he had done research into this type of vulnerability as far back as 2002. His post gives a nice timeline of the discovery and research of these bugs, three programs that show the flaws, and references.

So while not quite a new class of vulnerability, it is one that is mostly overlooked by auditors no doubt. It will be interesting to see how many perl based format string vulnerabilities are discovered in coming months.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: