Vulnerabilities > CVE-2005-0155 - Unspecified vulnerability in Larry Wall Perl 5.8.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | Setuid perl PerlIO_Debug() root owned file creation. CVE-2005-0155. Local exploit for linux platform |
id | EDB-ID:792 |
last seen | 2016-01-31 |
modified | 2005-02-07 |
published | 2005-02-07 |
reporter | Kevin Finisterre |
source | https://www.exploit-db.com/download/792/ |
title | Setuid perl PerlIO_Debug Root owned file creation |
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0605.NASL description Updated Perl packages that fix security a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a flaw in sperl, the Perl setuid wrapper, which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. (CVE-2005-0155) A fix for this issue was first included in the update RHSA-2005:103 released in February 2005. However the patch to correct this issue was dropped from the update RHSA-2005:674 made in October 2005. This regression has been assigned CVE-2006-3813. Users of Perl are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22278 published 2006-08-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22278 title CentOS 4 : perl (CESA-2006:0605) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0605 and # CentOS Errata and Security Advisory 2006:0605 respectively. # include("compat.inc"); if (description) { script_id(22278); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2005-0155", "CVE-2006-3813"); script_bugtraq_id(12426); script_xref(name:"RHSA", value:"2006:0605"); script_name(english:"CentOS 4 : perl (CESA-2006:0605)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Perl packages that fix security a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a flaw in sperl, the Perl setuid wrapper, which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. (CVE-2005-0155) A fix for this issue was first included in the update RHSA-2005:103 released in February 2005. However the patch to correct this issue was dropped from the update RHSA-2005:674 made in October 2005. This regression has been assigned CVE-2006-3813. Users of Perl are advised to upgrade to these updated packages, which contain a backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2006-August/013145.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d1724583" ); # https://lists.centos.org/pipermail/centos-announce/2006-August/013146.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?70d19609" ); # https://lists.centos.org/pipermail/centos-announce/2006-August/013176.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bce6c173" ); script_set_attribute(attribute:"solution", value:"Update the affected perl packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:perl-suidperl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", reference:"perl-5.8.5-36.RHEL4")) flag++; if (rpm_check(release:"CentOS-4", reference:"perl-suidperl-5.8.5-36.RHEL4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "perl / perl-suidperl"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-103.NASL description Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0155 to this issue. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0452 to this issue. Users of Perl are advised to upgrade to this updated package, which contains backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 17187 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17187 title RHEL 4 : perl (RHSA-2005:103) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A5EB760A753C11D9A36F000A95BC6FAE.NASL description Kevin Finisterre discovered bugs in perl last seen 2020-06-01 modified 2020-06-02 plugin id 19062 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19062 title FreeBSD : perl -- vulnerabilities in PERLIO_DEBUG handling (a5eb760a-753c-11d9-a36f-000a95bc6fae) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-72-1.NASL description Two exploitable vulnerabilities involving setuid-enabled perl scripts have been discovered. The package last seen 2020-06-01 modified 2020-06-02 plugin id 20693 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20693 title Ubuntu 4.10 : perl vulnerabilities (USN-72-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-105.NASL description Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16361 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16361 title RHEL 3 : perl (RHSA-2005:105) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-031.NASL description Jeroen van Wolffelaar discovered that the rmtree() function in the perl File::Path module would remove directories in an insecure manner which could lead to the removal of arbitrary files and directories via a symlink attack (CVE-2004-0452). Trustix developers discovered several insecure uses of temporary files in many modules which could allow a local attacker to overwrite files via symlink attacks (CVE-2004-0976). last seen 2020-06-01 modified 2020-06-02 plugin id 16360 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16360 title Mandrake Linux Security Advisory : perl (MDKSA-2005:031) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0605.NASL description Updated Perl packages that fix security a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a flaw in sperl, the Perl setuid wrapper, which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. (CVE-2005-0155) A fix for this issue was first included in the update RHSA-2005:103 released in February 2005. However the patch to correct this issue was dropped from the update RHSA-2005:674 made in October 2005. This regression has been assigned CVE-2006-3813. Users of Perl are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22223 published 2006-08-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22223 title RHEL 4 : perl (RHSA-2006:0605) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-13.NASL description The remote host is affected by the vulnerability described in GLSA-200502-13 (Perl: Vulnerabilities in perl-suid wrapper) perl-suid scripts honor the PERLIO_DEBUG environment variable and write to that file with elevated privileges (CAN-2005-0155). Furthermore, calling a perl-suid script with a very long path while PERLIO_DEBUG is set could trigger a buffer overflow (CAN-2005-0156). Impact : A local attacker could set the PERLIO_DEBUG environment variable and call existing perl-suid scripts, resulting in file overwriting and potentially the execution of arbitrary code with root privileges. Workaround : You are not vulnerable if you do not have the perlsuid USE flag set or do not use perl-suid scripts. last seen 2020-06-01 modified 2020-06-02 plugin id 16450 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16450 title GLSA-200502-13 : Perl: Vulnerabilities in perl-suid wrapper
Oval
accepted | 2013-04-29T04:05:22.475-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||
description | The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:10404 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
title | Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. | ||||||||||||||||||||
version | 26 |
Redhat
advisories |
| ||||||||
rpms |
|
References
- http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
- http://www.redhat.com/support/errata/RHSA-2005-103.html
- http://www.redhat.com/support/errata/RHSA-2005-105.html
- http://www.trustix.org/errata/2005/0003/
- http://www.securityfocus.com/bid/12426
- http://secunia.com/advisories/14120
- http://fedoranews.org/updates/FEDORA--.shtml
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=001056
- http://support.avaya.com/elmodocs2/security/ASA-2006-163.htm
- http://secunia.com/advisories/21646
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
- http://marc.info/?l=bugtraq&m=110737149402683&w=2
- http://marc.info/?l=full-disclosure&m=110779723332339&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19207
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10404
- http://www.digitalmunition.com/DMA%5B2005-0131a%5D.txt