Perl Format Strings

[This was originally published on the OSVDB blog.]

Dyad Security announced a new vulnerability in the Webmin web server component. The perl is vulnerable to a format string bug, which is mostly unseen in perl and quite common in C programs. The post calls this a “a new class of exploitable (remote code) perl format string“. Shortly after, Steven Christey of CVE posted that he had done research into this type of vulnerability as far back as 2002. His post gives a nice timeline of the discovery and research of these bugs, three programs that show the flaws, and references.

So while not quite a new class of vulnerability, it is one that is mostly overlooked by auditors no doubt. It will be interesting to see how many perl based format string vulnerabilities are discovered in coming months.

Leave a Reply