Vulnerabilities > CVE-2005-0156
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 | |
| Application | 1 | |
| OS | 4 | |
| OS | 8 | |
| OS | 5 | |
| OS | 2 | |
| OS | 2 |
Exploit-Db
| description | Setuid perl PerlIO_Debug() overflow. CVE-2005-0156. Local exploit for linux platform |
| id | EDB-ID:791 |
| last seen | 2016-01-31 |
| modified | 2005-02-07 |
| published | 2005-02-07 |
| reporter | Kevin Finisterre |
| source | https://www.exploit-db.com/download/791/ |
| title | Setuid perl PerlIO_Debug Overflow |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-103.NASL description Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0155 to this issue. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0452 to this issue. Users of Perl are advised to upgrade to this updated package, which contains backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 17187 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17187 title RHEL 4 : perl (RHSA-2005:103) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A5EB760A753C11D9A36F000A95BC6FAE.NASL description Kevin Finisterre discovered bugs in perl last seen 2020-06-01 modified 2020-06-02 plugin id 19062 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19062 title FreeBSD : perl -- vulnerabilities in PERLIO_DEBUG handling (a5eb760a-753c-11d9-a36f-000a95bc6fae) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-72-1.NASL description Two exploitable vulnerabilities involving setuid-enabled perl scripts have been discovered. The package last seen 2020-06-01 modified 2020-06-02 plugin id 20693 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20693 title Ubuntu 4.10 : perl vulnerabilities (USN-72-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-105.NASL description Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16361 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16361 title RHEL 3 : perl (RHSA-2005:105) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-031.NASL description Jeroen van Wolffelaar discovered that the rmtree() function in the perl File::Path module would remove directories in an insecure manner which could lead to the removal of arbitrary files and directories via a symlink attack (CVE-2004-0452). Trustix developers discovered several insecure uses of temporary files in many modules which could allow a local attacker to overwrite files via symlink attacks (CVE-2004-0976). last seen 2020-06-01 modified 2020-06-02 plugin id 16360 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16360 title Mandrake Linux Security Advisory : perl (MDKSA-2005:031) NASL family Solaris Local Security Checks NASL id SOLARIS11_PERL-58_20131015.NASL description The remote Solaris system is missing necessary patches to address security updates : - Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. (CVE-2004-0452) - Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. (CVE-2005-0156) - Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. (CVE-2005-0448) - Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH. (CVE-2005-4278) - Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string. (CVE-2010-1158) - Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. (CVE-2011-2939) - CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. (CVE-2012-5526) last seen 2020-06-01 modified 2020-06-02 plugin id 80731 published 2015-01-19 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80731 title Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_5526_configuration_vulnerability1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-13.NASL description The remote host is affected by the vulnerability described in GLSA-200502-13 (Perl: Vulnerabilities in perl-suid wrapper) perl-suid scripts honor the PERLIO_DEBUG environment variable and write to that file with elevated privileges (CAN-2005-0155). Furthermore, calling a perl-suid script with a very long path while PERLIO_DEBUG is set could trigger a buffer overflow (CAN-2005-0156). Impact : A local attacker could set the PERLIO_DEBUG environment variable and call existing perl-suid scripts, resulting in file overwriting and potentially the execution of arbitrary code with root privileges. Workaround : You are not vulnerable if you do not have the perlsuid USE flag set or do not use perl-suid scripts. last seen 2020-06-01 modified 2020-06-02 plugin id 16450 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16450 title GLSA-200502-13 : Perl: Vulnerabilities in perl-suid wrapper
Oval
| accepted | 2013-04-29T04:08:55.654-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10803 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
- http://www.redhat.com/support/errata/RHSA-2005-103.html
- http://www.redhat.com/support/errata/RHSA-2005-105.html
- http://www.trustix.org/errata/2005/0003/
- http://www.securityfocus.com/bid/12426
- http://secunia.com/advisories/14120
- http://fedoranews.org/updates/FEDORA--.shtml
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=001056
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
- http://secunia.com/advisories/55314
- http://marc.info/?l=bugtraq&m=110737149402683&w=2
- http://marc.info/?l=full-disclosure&m=110779721503111&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19208
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10803
- http://www.digitalmunition.com/DMA%5B2005-0131b%5D.txt