Perl flaw more dangerous than thought

A type of security flaw in Perl applications that experts thought could lead only to a denial-of-service attack is now believed to be much more serious.

Dyad Security on Tuesday warned of a so-called "format string vulnerability" in Webmin, a Web-based administration utility written in Perl. An attacker could gain complete control over a server running the vulnerable software by exploiting this "new class" of flaw, the security research company said in an advisory.

"If remote code execution is successful, it would lead to a full remote root compromise in a standard configuration," according to the advisory.

Format string vulnerabilities are not new, but experts previously thought such flaws in applications written in Perl could not be used to remotely run code on a target system, experts from Symantec and eEye Digital Security said.

Such attacks have been possible via format string bugs if the application in question was coded in a lower-level programming language, such as C, according to Symantec.

"This is potentially the first in a new breed of format string vulnerabilities," said Oliver Friedrichs, the senior manager at Symantec Security Response. "Previously this was thought to be just a denial-of-service attack. Now that it is found to be exploitable, that increases the value substantially. Attackers are certainly going to start looking for them."

Perl, a popular scripting language, is widely used for Web applications, often on servers that run the Linux operating system. With the security of operating systems improving, attackers have been looking at Web applications and other software as a way to break into systems.

"Given the focus on Web applications in general, this format string vulnerability exploitability adds another tool to the chest of attackers," said Steve Manzuik, the security product manager at eEye in California. "Web servers are a good target because of a lot of Perl scripts would be available to anonymous, remote users."

Symantec and eEye have not been able to independently validate the claims by Dyad, which are backed up by security vendor Immunity. Symantec believes the claims to be true, while eEye's Manzuik isn't sure yet. "I normally take it with a grain of salt until I actually see some proof. If it turns out to be legitimate, it would be a very serious issue," he said.

To protect their systems, users of Webmin first and foremost should upgrade to the latest version of the utility, Friedrichs said. "In the longer term, you want to make sure that you are using format strings correctly in your applications," he said.

Format strings are the way programmers specify how output should be formatted in an application. A flaw occurs when a programmer uses the strings incorrectly. That could enable an attacker to read and write to memory on the system running the application, resulting in the execution of code of the attacker's choice.

It is too early to tell what the full impact of the broader scope of the format string vulnerabilities will be, Friedrichs said. "The concerning part of this is that this [Webmin flaw] is really the first in a potential growing number of format string vulnerabilities that we may see," he said.

One way that the problem may be addressed is by Perl developers, who may address the issue of format string vulnerabilities in Perl itself, Friedrichs said.