[Mpls-pm] Fwd: Perl format string integer wrap vulnerability

Ken Williams ken at mathforum.org
Fri Dec 2 17:14:28 PST 2005


On Dec 2, 2005, at 11:29 AM, Joshua ben Jore wrote:

> BTW, does anyone know how to get perl to do something more useful than
> segfault when given a bad format? The bug is triggered by using a
> format like "%" . ( $n + MAXINT ) . "d". The number is getting
> assigned into a signed integer and this is where the problem is, I
> guess. Somehow this allows an attacker to write to arbitrary memory.

Well, it's only arbitrary memory within that process's address space, 
not arbitrary memory in the computer.  So on *nix a person can't 
elevate their privileges unless they can find a script running as 
someone else and it does printf("%$variable"...) and they can change 
$variable by supplying some tricky input.  Sort of a tall order, but 
since it's not impossible it's a security bug.

On platforms where a process can write to memory outside its address 
space, it's sort of a moot point, as on those systems the attacker 
could just write a simpler program to do so.



More information about the Mpls-pm mailing list