Vulnerabilities > CVE-2008-5302 - Race Condition vulnerability in Perl File::Path 1.08/2.07

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
perl
CWE-362
nessus

Summary

Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.

Vulnerable Configurations

Part Description Count
Application
Perl
4

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-116.NASL
    descriptionMultiple vulnerabilities has been discovered and corrected in Path.pm and Safe.pm which could lead to escalated privilegies (CVE-2008-5302, CVE-2008-5303, CVE-2010-1168, CVE-2010-1447). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id46878
    published2010-06-14
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46878
    titleMandriva Linux Security Advisory : perl (MDVSA-2010:116)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1678.NASL
    descriptionPaul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later.
    last seen2020-06-01
    modified2020-06-02
    plugin id35031
    published2008-12-04
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35031
    titleDebian DSA-1678-1 : perl - design flaws
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0458.NASL
    descriptionUpdated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Perl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The File::Path module allows users to create and remove directory trees. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did not properly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Multiple race conditions were found in the way the File::Path module
    last seen2020-06-01
    modified2020-06-02
    plugin id46834
    published2010-06-08
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46834
    titleRHEL 5 : perl (RHSA-2010:0458)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2010-0458.NASL
    descriptionUpdated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Perl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The File::Path module allows users to create and remove directory trees. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did not properly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Multiple race conditions were found in the way the File::Path module
    last seen2020-06-01
    modified2020-06-02
    plugin id46874
    published2010-06-14
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46874
    titleCentOS 5 : perl (CESA-2010:0458)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20100607_PERL_ON_SL5_X.NASL
    descriptionPerl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The File::Path module allows users to create and remove directory trees. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did not properly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Multiple race conditions were found in the way the File::Path module
    last seen2020-06-01
    modified2020-06-02
    plugin id60801
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60801
    titleScientific Linux Security Update : perl on SL5.x i386/x86_64
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0458.NASL
    descriptionFrom Red Hat Security Advisory 2010:0458 : Updated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Perl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The File::Path module allows users to create and remove directory trees. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did not properly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Multiple race conditions were found in the way the File::Path module
    last seen2020-06-01
    modified2020-06-02
    plugin id68048
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68048
    titleOracle Linux 5 : perl (ELSA-2010-0458)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0013.NASL
    descriptiona. Service Console update for cpio The service console package cpio is updated to version 2.5-6.RHEL3 for ESX 3.x versions and updated to version 2.6-23.el5_4.1 for ESX 4.x versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues addressed in the update for ESX 3.x and the names CVE-2007-4476 and CVE-2010-0624 to the issues addressed in the update for ESX 4.x. b. Service Console update for tar The service console package tar is updated to version 1.13.25-16.RHEL3 for ESX 3.x versions and updated to version 1.15.1-23.0.1.el5_4.2 for ESX 4.x versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0624 to the issue addressed in the update for ESX 3.x and the names CVE-2007-4476 and CVE-2010-0624 to the issues addressed in the update for ESX 4.x. c. Service Console update for samba The service console packages for samba are updated to version samba-3.0.9-1.3E.17vmw, samba-client-3.0.9-1.3E.17vmw and samba-common-3.0.9-1.3E.17vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2063 to the issue addressed in this update. Note : The issue mentioned above is present in the Samba server (smbd) and is not present in the Samba client or Samba common packages. To determine if your system has Samba server installed do a
    last seen2020-06-01
    modified2020-06-02
    plugin id49085
    published2010-09-02
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49085
    titleVMSA-2010-0013 : VMware ESX third-party updates for Service Console
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-700-1.NASL
    descriptionJonathan Smith discovered that the Archive::Tar Perl module did not correctly handle symlinks when extracting archives. If a user or automated system were tricked into opening a specially crafted tar file, a remote attacker could over-write arbitrary files. (CVE-2007-4829) Tavis Ormandy and Will Drewry discovered that Perl did not correctly handle certain utf8 characters in regular expressions. If a user or automated system were tricked into using a specially crafted expression, a remote attacker could crash the application, leading to a denial of service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927) A race condition was discovered in the File::Path Perl module
    last seen2020-06-01
    modified2020-06-02
    plugin id37888
    published2009-04-23
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37888
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : libarchive-tar-perl, perl vulnerabilities (USN-700-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201311-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201311-17 (Perl: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Perl. Please review the CVE identifiers referenced below for details. Impact : A local attacker could cause a Denial of Service condition or perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. A context-dependent attacker could cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id71119
    published2013-11-29
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/71119
    titleGLSA-201311-17 : Perl: Multiple vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2010-002.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-002 applied. This security update contains fixes for the following products : - AppKit - Application Firewall - AFP Server - Apache - ClamAV - CoreTypes - CUPS - curl - Cyrus IMAP - Cyrus SASL - Disk Images - Directory Services - Event Monitor - FreeRADIUS - FTP Server - iChat Server - Image RAW - Libsystem - Mail - Mailman - OS Services - Password Server - perl - PHP - PS Normalizer - Ruby - Server Admin - SMB - Tomcat - unzip - vim - Wiki Server - X11 - xar
    last seen2020-06-01
    modified2020-06-02
    plugin id45373
    published2010-03-29
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45373
    titleMac OS X Multiple Vulnerabilities (Security Update 2010-002)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-700-2.NASL
    descriptionUSN-700-1 fixed vulnerabilities in Perl. Due to problems with the Ubuntu 8.04 build, some Perl .ph files were missing from the resulting update. This update fixes the problem. We apologize for the inconvenience. Jonathan Smith discovered that the Archive::Tar Perl module did not correctly handle symlinks when extracting archives. If a user or automated system were tricked into opening a specially crafted tar file, a remote attacker could over-write arbitrary files. (CVE-2007-4829) Tavis Ormandy and Will Drewry discovered that Perl did not correctly handle certain utf8 characters in regular expressions. If a user or automated system were tricked into using a specially crafted expression, a remote attacker could crash the application, leading to a denial of service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927) A race condition was discovered in the File::Path Perl module
    last seen2020-06-01
    modified2020-06-02
    plugin id37746
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37746
    titleUbuntu 8.04 LTS : perl regression (USN-700-2)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0013_REMOTE.NASL
    descriptionThe remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - GNU cpio - GNU cpio on 64-bit - GNU tar - Kerberos 5 - Perl - PostgreSQL - Safe Module for Perl Automagic Methods - Samba smbd
    last seen2020-06-01
    modified2020-06-02
    plugin id89741
    published2016-03-08
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89741
    titleVMware ESX Multiple Vulnerabilities (VMSA-2010-0013) (remote check)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_PERL-090128.NASL
    descriptionThis perl update fixes a race condition in rmtree. (CVE-2008-5302)
    last seen2020-06-01
    modified2020-06-02
    plugin id40105
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40105
    titleopenSUSE Security Update : perl (perl-482)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_PERL-090128.NASL
    descriptionThis perl update fixes a race condition in rmtree. (CVE-2008-5302)
    last seen2020-06-01
    modified2020-06-02
    plugin id40295
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40295
    titleopenSUSE Security Update : perl (perl-482)

Oval

  • accepted2013-04-29T04:11:18.738-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionRace condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.
    familyunix
    idoval:org.mitre.oval:def:11076
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleRace condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.
    version18
  • accepted2014-01-20T04:01:30.072-05:00
    classvulnerability
    contributors
    • nameVarun
      organizationHewlett-Packard
    • nameChris Coffin
      organizationThe MITRE Corporation
    definition_extensions
    commentVMware ESX Server 4.0 is installed
    ovaloval:org.mitre.oval:def:6293
    descriptionRace condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.
    familyunix
    idoval:org.mitre.oval:def:6890
    statusaccepted
    submitted2010-10-01T16:37:39.000-05:00
    titleVMware ESX,Service Console update for perl.
    version7

Redhat

advisories
rhsa
idRHSA-2010:0458
rpms
  • perl-4:5.8.8-32.el5_5.1
  • perl-debuginfo-4:5.8.8-32.el5_5.1
  • perl-suidperl-4:5.8.8-32.el5_5.1

Seebug

bulletinFamilyexploit
descriptionCVE ID: CVE-2005-4268,CVE-2010-0624,CVE-2007-4476,CVE-2010-2063,CVE-2010-1321,CVE-2010-1168,CVE-2010-1447,CVE-2008-5302,CVE-2008-5303 VMware ESX Server是为适用于任何系统环境的企业级虚拟计算机软件。 ESX Console OS (COS)在cpio、tar、perl、krb5、samba等应用的实现上存在多个漏洞,其中最严重的漏洞可造成服务器拒绝服务或执行任意代码。 0 VMWare ESX Server 厂商补丁: VMWare ------ VMWare已经为此发布了一个安全公告(VMSA-2010-0013)以及相应补丁: VMSA-2010-0013:VMware ESX third party updates for Service Console 链接:http://www.vmware.com/security/advisories/VMSA-2010-0013.html
idSSV:30015
last seen2017-11-19
modified2012-01-13
published2012-01-13
reporterRoot
titleVMware ESX Service Console多个安全漏洞

Statements

contributorTomas Hoger
lastmodified2010-06-07
organizationRed Hat
statementThis issue has been addressed in perl packages as shipped in Red Hat Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2010-0457.html and Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0458.html.