Fwd: [Full-disclosure] TSSA-2011-03 - Perl : multiple functions null pointer dereference uppon parameters injection

Nicholas Clark nick at ccl4.org
Mon May 9 20:01:42 BST 2011


On Mon, May 09, 2011 at 12:01:32PM +0100, Jacqui Caren-home
quoted the full disclosure list, whit in turn wrote:

>       getpeername()
>       readdir()
>       closedir()
>       getsockname()
>       readdir()
>       rewinddir()
>       tell()
>       telldir()
> 
>     When given a wrong number of arguments, those functions will
>     attempt to perform a comparison between an unalocated memory
>     zone and a given register, resulting in a segmentation fault:

That's not strictly true. It's the wrong *sort* of argument, specifically
(IIRC) any string that ends up being used as a file handle (in one of the
above only - the builtins that autovivify file handles aren't affected)


>     But, if a given third party perl web application was calling one
>     of the above listed vulnerable functions in a way allowing
>     parameter injections, while performing a critical operation
>     requiring some degree of atomicity, it would be possible to
>    interrupt the execution of this operation before it completes,
>    hence breaking the business logic assumptions of the web
>    applications designers.
> 
>     Wether this vulnerability actually allows to steal millions from
>     widespread perl web applications has not been investigated and
>     won't be dulled about.

I'd be amused by the amount of speculation here, if I hadn't wasted enough
time on this already.

Yes, muppets can and sadly do write turds in any language, including Perl.
Yes, this is a bug in Perl. You have to be doing something pretty stupid to
hit it. No, it wasn't in 5.8.x. Yes, it's been fixed in 5.12. It won't
happen again (in anything like the same way, at least) (because we know who
dunnit and we won't be letting them do it again).

The sky is not falling. (even if people want to make a name for themselves by
talking up a NULL pointer dereference D.O.S. bug as a potential remote breach)

(that's not Jacqui - that's the tenacious researcher in question who *has*
found a bug, but would like it to be more serious than it is)


Nicholas Clark


More information about the london.pm mailing list