Vulnerabilities > CVE-2005-0448 - Local Race Condition Privilege Escalation vulnerability in Perl 'rmdir()'
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-079.NASL description Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. The provided packages have been patched to resolve this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 18172 published 2005-05-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18172 title Mandrake Linux Security Advisory : perl (MDKSA-2005:079) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:079. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(18172); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2005-0448"); script_xref(name:"MDKSA", value:"2005:079"); script_name(english:"Mandrake Linux Security Advisory : perl (MDKSA-2005:079)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. The provided packages have been patched to resolve this problem." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"perl-5.8.3-5.4.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"perl-base-5.8.3-5.4.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"perl-devel-5.8.3-5.4.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"perl-doc-5.8.3-5.4.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"perl-5.8.5-3.4.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"perl-base-5.8.5-3.4.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"perl-devel-5.8.5-3.4.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"perl-doc-5.8.5-3.4.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"perl-5.8.6-6.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"perl-base-5.8.6-6.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"perl-devel-5.8.6-6.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"perl-doc-5.8.6-6.1.102mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1678.NASL description Paul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later. last seen 2020-06-01 modified 2020-06-02 plugin id 35031 published 2008-12-04 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35031 title Debian DSA-1678-1 : perl - design flaws NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4A99D61CF23A11DD9F550030843D3802.NASL description Secunia reports : Paul Szabo has reported a vulnerability in Perl File::Path::rmtree, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a race condition in the way File::Path::rmtree handles directory permissions when cleaning up directories. This can be exploited by replacing an existing sub directory in the directory tree with a symbolic link to an arbitrary file. Successful exploitation may allow changing permissions of arbitrary files, if root uses an application using the vulnerable code to delete files in a directory having a world-writable sub directory. last seen 2020-06-01 modified 2020-06-02 plugin id 35582 published 2009-02-04 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35582 title FreeBSD : perl -- Directory Permissions Race Condition (4a99d61c-f23a-11dd-9f55-0030843d3802) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-674.NASL description Updated Perl packages that fix security issues and contain several bug fixes are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Paul Szabo discovered a bug in the way Perl last seen 2020-06-01 modified 2020-06-02 plugin id 19992 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19992 title RHEL 4 : perl (RHSA-2005:674) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-881.NASL description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl last seen 2020-06-01 modified 2020-06-02 plugin id 20367 published 2005-12-30 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20367 title RHEL 3 : perl (RHSA-2005:881) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_13B0C8C8BEE011DDA708001FC66E7203.NASL description Jan Lieskovsky reports : perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this) This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1. It last seen 2020-06-01 modified 2020-06-02 plugin id 35289 published 2009-01-05 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35289 title FreeBSD : p5-File-Path -- rmtree allows creation of setuid files (13b0c8c8-bee0-11dd-a708-001fc66e7203) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-38.NASL description The remote host is affected by the vulnerability described in GLSA-200501-38 (Perl: rmtree and DBI tmpfile vulnerabilities) Javier Fernandez-Sanguino Pena discovered that the DBI library creates temporary files in an insecure, predictable way (CAN-2005-0077). Paul Szabo found out that last seen 2020-06-01 modified 2020-06-02 plugin id 16429 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16429 title GLSA-200501-38 : Perl: rmtree and DBI tmpfile vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-94-1.NASL description Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20720 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20720 title Ubuntu 4.10 : perl vulnerability (USN-94-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-881.NASL description Updated Perl packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl last seen 2020-06-01 modified 2020-06-02 plugin id 21877 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21877 title CentOS 3 : perl (CESA-2005:881) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-696.NASL description Paul Szabo discovered another vulnerability in the File::Path::rmtree function of perl, the popular scripting language. When a process is deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree. last seen 2020-06-01 modified 2020-06-02 plugin id 17600 published 2005-03-23 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17600 title Debian DSA-696-1 : perl - design flaw NASL family Solaris Local Security Checks NASL id SOLARIS11_PERL-58_20131015.NASL description The remote Solaris system is missing necessary patches to address security updates : - Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. (CVE-2004-0452) - Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. (CVE-2005-0156) - Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. (CVE-2005-0448) - Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH. (CVE-2005-4278) - Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string. (CVE-2010-1158) - Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. (CVE-2011-2939) - CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. (CVE-2012-5526) last seen 2020-06-01 modified 2020-06-02 plugin id 80731 published 2015-01-19 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80731 title Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_5526_configuration_vulnerability1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-674.NASL description Updated Perl packages that fix security issues and contain several bug fixes are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Paul Szabo discovered a bug in the way Perl last seen 2020-06-01 modified 2020-06-02 plugin id 67031 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67031 title CentOS 4 : perl (CESA-2005:674)
Oval
accepted 2013-04-29T04:05:58.777-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990
description Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. family unix id oval:org.mitre.oval:def:10475 status accepted submitted 2010-07-09T03:56:16-04:00 title Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. version 26 accepted 2014-03-24T04:01:54.839-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Matthew Wojcik organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard
description Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. family unix id oval:org.mitre.oval:def:728 status accepted submitted 2006-09-22T05:48:00.000-04:00 title HP-UX 11 Perl rmtree Race Condition version 42
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20060101-01-U
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=001056
- http://fedoranews.org/updates/FEDORA--.shtml
- http://secunia.com/advisories/14531
- http://secunia.com/advisories/17079
- http://secunia.com/advisories/18075
- http://secunia.com/advisories/18517
- http://secunia.com/advisories/55314
- http://www.debian.org/security/2005/dsa-696
- http://www.gentoo.org/security/en/glsa/glsa-200501-38.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:079
- http://www.redhat.com/support/errata/RHSA-2005-674.html
- http://www.redhat.com/support/errata/RHSA-2005-881.html
- http://www.securityfocus.com/advisories/8704
- http://www.securityfocus.com/bid/12767
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10475
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A728
- https://usn.ubuntu.com/94-1/