[Mpls-pm] Fwd: Perl format string integer wrap vulnerability
ken at mathforum.org
Fri Dec 2 17:14:28 PST 2005
On Dec 2, 2005, at 11:29 AM, Joshua ben Jore wrote:
> BTW, does anyone know how to get perl to do something more useful than
> segfault when given a bad format? The bug is triggered by using a
> format like "%" . ( $n + MAXINT ) . "d". The number is getting
> assigned into a signed integer and this is where the problem is, I
> guess. Somehow this allows an attacker to write to arbitrary memory.
Well, it's only arbitrary memory within that process's address space,
not arbitrary memory in the computer. So on *nix a person can't
elevate their privileges unless they can find a script running as
someone else and it does printf("%$variable"...) and they can change
$variable by supplying some tricky input. Sort of a tall order, but
since it's not impossible it's a security bug.
On platforms where a process can write to memory outside its address
space, it's sort of a moot point, as on those systems the attacker
could just write a simpler program to do so.
More information about the Mpls-pm