Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 114113 - dev-lang/perl: Perl format string integer wrap vulnerability
Summary: dev-lang/perl: Perl format string integer wrap vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: A1? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-01 01:08 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-12-24 17:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-12-01 01:08:30 UTC
SUMMARY. perl suffers from an integer wrap overflow inside the explicit 
parameter format string functionality, this has been confirmed to be a 
vector for remote code execution. 
 
Date Found: 
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-01 01:08:30 UTC
SUMMARY. perl suffers from an integer wrap overflow inside the explicit 
parameter format string functionality, this has been confirmed to be a 
vector for remote code execution. 
 
Date Found:     September 23, 2005. 
Public Release: TBD. 
Application:    perl 
Credit:         Jack Louis of Dyad Security 
 
BACKGROUND.  perl is a cross-platform scripting language. for more 
details see Perl.org 
 
DESCRIPTION.  Value over INT_MAX(value of I) inside explicit parameter 
format string (%I$n) causes integer wrap in the efix (32bit signed 
integer) variable inside the function Perl_sv_vcatpvfn (see example 1) 
(sv.c:~9360). Allowing for a write value anywhere in memory exploitation 
vector (see example 2). Further, heap corruption itself is possible (see 
example 3), as are more exotic non-reliable $PC redirection (see example 
4). From what we have seen the first exploitation method is the only 
valid one. ImmunitySec has found a generic method of controlling the 
first condition with a good amount of robustness and success. Perl 
itself is not directly vulnerable to remote attacks due to this flaw, 
however any perl program with format string vulnerabilities is. The 
vulnerability is not to limited DoS (as reported previously) but remote 
code execution as well as information leakage and DoS. 
 
IMPACT.  Perl itself is not generally impacted by this vulnerability, 
but programs with format string vulnerabilities (Dyad Security has 
confirmed that several programs available at this time have this 
specific issue) can be vulnerable to remote code execution. Information 
about creating a robust generic exploit is forthcoming, so public 
knowledge of exploitation methods for this issue is in the cards. 
 
AFFECTED VERSIONS.  Perl 5.9.2 and perl 5.8.6 have been tested and found 
to be vulnerable on linux, freebsd, dragonflybsd on the ia32 platform. 
It is assumed that a much larger range of software and platforms are 
also affected, as the sv.c seems to remain seemingly static over time, 
however this is not confirmed. 
 
EXAMPLE 1.   
$ gdb myperl/bin/perl5.8.7 
GNU gdb 6.3 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you are 
welcome to change it and/or distribute copies of it under certain conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for details. 
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) break sv.c:9232 
Breakpoint 1 at 0x80c0df0: file sv.c, line 9232. 
(gdb) set args -e 'printf("%2147483647\$n");' 
(gdb) run 
 
Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x0, patlen=0, args=0x0, 
svargs=0x8133080, 
    svmax=0, maybe_tainted=0xbffb72cb "") at sv.c:9232 
9232    in sv.c 
(gdb) p efix 
$1 = 2147483647 
(gdb) set args -e 'printf("%2147483648\$n");' 
(gdb) run 
 
Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, 
    pat=0x80000000 <Address 0x80000000 out of bounds>, patlen=0, args=0x0, 
svargs=0x8133080, 
    svmax=0, maybe_tainted=0xbfb0640b "") at sv.c:9232 
9232    in sv.c 
(gdb) p efix 
$2 = -2147483648 
(gdb) cont 
Modification of a read-only value attempted at -e line 1. 
 
Program exited with code 0377. 
(gdb) set args -e 'printf("%2147483649\$n");' 
(gdb) run 
 
Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, 
    pat=0x80000001 <Address 0x80000001 out of bounds>, patlen=0, args=0x0, 
svargs=0x8133080, 
    svmax=0, maybe_tainted=0xbfe69b9b "") at sv.c:9232 
9232    in sv.c 
(gdb) p efix 
$3 = -2147483647 
(gdb) cont 
 
Program received signal SIGSEGV, Segmentation fault. 
Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 
1652    in sv.c 
(gdb) bt 
#0  Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 
#1  0x080b6349 in Perl_sv_setuv_mg (sv=0x0, u=0) at sv.c:1743 
#2  0x080c0e06 in Perl_sv_vcatpvfn (sv=0x812d180, 
    pat=0x80000001 <Address 0x80000001 out of bounds>, patlen=0, args=0x0, 
svargs=0x8133080, 
    svmax=0, maybe_tainted=0xbfe69b9b "") at sv.c:9232 
#3  0x080e923b in Perl_do_sprintf (sv=0x812d180, len=1, sarg=0x813307c) at 
doop.c:713 
#4  0x080de48a in Perl_pp_prtf () at pp_sys.c:1489 
#5  0x080ad038 in Perl_runops_standard () at run.c:37 
#6  0x080615c7 in S_run_body (oldscope=1) at perl.c:2000 
#7  0x080613ff in perl_run (my_perl=0x812d008) at perl.c:1919 
#8  0x0805e61f in main (argc=3, argv=0xbfe69da4, env=0xbfe69db4) at 
perlmain.c:98 
(gdb) x/i $eip 
0x80b61a8 <Perl_sv_setiv+8>:    mov    0x8(%ebx),%edx 
(gdb) i r ebx edx 
ebx            0x0      0 
edx            0x812d180        135451008 
(gdb) 
 
EXAMPLE 2.   
#0  Perl_sv_setiv (sv=0x815f821, i=0) at sv.c:2184 
2184        SvIVX(sv) = i; 
(gdb) x/i $eip 
0x80c815c <Perl_sv_setiv+108>:  mov    %esi,0xc(%eax) 
 
EXAMPLE 3.   
#0  0xb7e69fb0 in malloc_consolidate () from /lib/tls/libc.so.6 
 
EXAMPLE 4.   
#0  0x09010e50 in ?? () 
 
FIXES.  Due to the information that has already been leaked we moved up 
the release date of this advisory. There is no official fix for this 
issue as of yet. We have provided a sample patch for the 5.9.2 version. 
 
See http://www.dyadsecurity.com/perl-0002.html for additional  
information and a link to the patch. 
 
SPECIAL THANKS. 
Special thanks to Dave Aitel and Bas Alberts of ImmunitySec for the 
donation of resources and leading the difficult phase of exploit 
verification research. If you wish to obtain any exploits or further 
detailed information regarding this vulnerability, please contact 
ImmunitySec. 
 
LEGAL NOTICES.   
Copyright (C) 2005 Dyad Security, Inc. 
 
Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of Dyad Security, Inc. If you wish to reprint the whole 
or any part of this alert in any other medium other than electronically, 
please email advisoryreprint@dyadsecurity.com for permission. 
 
DISCLAIMER.   
The information in the advisory is believed to be accurate at the time 
of publishing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition. There 
are no warranties with regard to this information. Neither the author 
nor the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, this 
information. 
 
SEE ALSO. 
http://www.dyadsecurity.com/webmin-0001.html
Comment 2 rob holland (RETIRED) gentoo-dev 2005-12-01 01:44:52 UTC
problem confirmed, fix also confirmed.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-12-01 03:07:31 UTC
As we can expect lots of Perl writers to use constructs like syslog("Foo $bar
foo") instead of syslog("Foo %s foo",$bar), better fix that quick.
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2005-12-01 04:12:25 UTC
Patched and in the tree. Tested on x86 (but I'd still like someone on the x86
team to commit this to stable when the time comes) for both perl-5.8.6 and
perl-5.8.7.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-12-01 04:38:27 UTC
Arch teams please test and mark stable asap.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-01 06:15:47 UTC
sparc stable.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-12-01 06:17:55 UTC
stable on ppc64 
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-12-01 08:38:23 UTC
Looking at :
http://archives.neohapsis.com/archives/dailydave/2005-q4/0207.html

Apparently, Perl programmers should never be considered safe from format string
errors at all. So we should still issue a specific advisory for webmin, and not
sure this Perl fix is worth one, since it's only a mitigating patch that doesn't
solve all format-based issues...

Security, please comment.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-12-01 10:54:04 UTC
stable  on amd64
Comment 10 Andrej Kacian (RETIRED) gentoo-dev 2005-12-01 15:00:38 UTC
perl-5.8.6-r7 stable on x86.
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2005-12-02 00:57:47 UTC
Marked 5.8.6-r7 ppc stable.
Comment 12 Gisle Aas 2005-12-02 01:36:18 UTC
Your perl still have buffer overflows for these cases:

  $ /usr/bin/perl -le '$a=sprintf "%4294967295d"';
  Segmentation fault (core dumped)
  $ /usr/bin/perl -le '$a=sprintf "%#.4294967295b"';
  Segmentation fault (core dumped)

Patches for these issues found at:

  http://public.activestate.com/cgi-bin/perlbrowse?patch=26235
  http://public.activestate.com/cgi-bin/perlbrowse?patch=26237
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-12-02 01:42:28 UTC
Thanks for warning us.
Back to ebuild stage, waiting for Perl team to comment/apply new patches.
Comment 14 Gisle Aas 2005-12-02 04:22:32 UTC
BTW, this is the core perl patch that has been applied to fix the %NNN$n wrap 
issue: 
  
   http://public.activestate.com/cgi-bin/perlbrowse?patch=26240 
 
You might want to use that patch instead of the perl-exp_intwrap.patch you 
applied. 
Comment 15 Michael Cummings (RETIRED) gentoo-dev 2005-12-06 09:16:54 UTC
patch updated, tests no longer seg fault. perl bumped (again), but it is the
same patch name, just bigger :)
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-06 09:57:00 UTC
Arches please test and mark stable. 
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2005-12-06 11:31:46 UTC
stable on ppc64 (again) 
Comment 18 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-12-06 12:33:26 UTC
Stable on amd64. 
Comment 19 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-06 13:42:40 UTC
Stable on ppc and hppa.
Comment 20 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-12-06 17:08:00 UTC
Stable on alpha
Comment 21 Mark Loeser (RETIRED) gentoo-dev 2005-12-06 20:13:37 UTC
perl-5.8.6-r8 stable on x86
Comment 22 Jason Wever (RETIRED) gentoo-dev 2005-12-06 20:25:30 UTC
And on the 7th day there was SPARC, and it was good.
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-07 12:21:03 UTC
GLSA 200512-01  
  
arm, ia64, mips, sh, s390 don't forget to mark stable to benifit from the 
GLSA. 
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-12-15 08:15:44 UTC
FYI:

=======================
We're released patches to Perls 5.8.0-5.8.7 that address a buffer overflow in
Perl's sprintf().

http://www.perlfoundation.org/news/2005/sprintf_patch_released.html

See also
http://www.perlfoundation.org/news/2005/webmin_flaw_alleviated.html
for a related fix where we stop Webmin from calling syslog() incorrectly.

Andy Lester
Perl Foundation PR guy
=========================

I guess we are covered.
Comment 25 Joshua Kinard gentoo-dev 2005-12-24 17:32:27 UTC
5.8.6-r8 && 5.8.7-r3 both stable on mips.