exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Perl Null Pointer Dereference

Perl Null Pointer Dereference
Posted May 9, 2011
Authored by Jonathan Brossard

When given a wrong number of arguments, a number of perl functions will attempt to read memory from an unmapped location, resulting in a deterministic crash.

tags | advisory, perl
advisories | CVE-2011-0761
SHA-256 | b72775fe46f3e69183620de7109ecf5ba3fd1540d7eb6d3c5323b82bb1325925

Perl Null Pointer Dereference

Change Mirror Download
---------------------------------------------------------------------------
* Perl : multiple functions null pointer dereference *
* uppon parameters injection *
---------------------------------------------------------------------------




--[ Vulnerability Summary:

Date Published: 03/05/2011
Last Update: 03/05/2011
Advisory ID: TSSA-2011-03
CVE Name: CVE-2011-0761
Title: Perl : multiple functions null pointer dereference
Remotely Exploitable: Yes
Locally Exploitable: No
Impact: Remote DoS
Advisory URL: http://www.toucan-system.com/advisories/tssa-2011-03.txt



--[ Introduction:

Following 3 paragraphs taken from the vendors' documentation:

Xpdf is an open source viewer for Portable Document Format (PDF)
files. (These are also sometimes also called 'Acrobat' files, from
the name of Adobe's PDF software.) The Xpdf project also includes a
PDF text extractor, PDF-to-PostScript converter, and various other
utilities.

Xpdf runs under the X Window System on UNIX, VMS, and OS/2. The non-X
components (pdftops, pdftotext, etc.) also run on Win32 systems and
should run on pretty much any system with a decent C++ compiler.

Xpdf is designed to be small and efficient. It can use Type 1 or
TrueType fonts.


--[ Synopsis:

When given a wrong number of arguments, a number of perl functions
will attempt to read memory from an unmapped location, resulting
in a deterministic crash.

--[ Vulnerability overview:

The perl functions vulnerable to this attack are:

getpeername()
readdir()
closedir()
getsockname()
readdir()
rewinddir()
tell()
telldir()

When given a wrong number of arguments, those functions will
attempt to perform a comparison between an unalocated memory
zone and a given register, resulting in a segmentation fault:

jonathan@blackbox:~/test$ cat poc1.pl
#!/usr/bin/perl
$a =
getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA",17792);
jonathan@blackbox:~/test$ perl poc1.pl
Segmentation fault (core dumped)
jonathan@blackbox:~/test$

More precisely, the Perl_gv_IOadd() function is invoqued and
attempts to perform a comparison:

gdb $ r ./poc1.pl
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
---------------------------------------------------------------[regs]
eax:08178008 ebx:00000000 ecx:080C53B0 edx:000000F4 eflags:00210282
esi:00000000 edi:0817D554 esp:BFFFF640 ebp:BFFFF658 eip:08082B42
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t S z a p c
[0073:08082B42]------------------------------------------------[code]
--[ Instruction:
=> 0x8082b42 <Perl_gv_IOadd+18>: cmp BYTE PTR [ebx+0x8],0x9

The register ebx being null, the application actually tries to
read from the (unmapped) first page, resulting in a null
pointer dereference, and eventually a crash.


--[ Impact:

Perl not being a compiled language, injection of wrong number of
parameters is technically possible (in very much the same way as
say, sql injections).

It is in any case not possible to execute code directly using this
vulnerability as null pointers dereferences in the first page are not
exploitable under modern OSes.

But, if a given third party perl web application was calling one
of the above listed vulnerable functions in a way allowing
parameter injections, while performing a critical operation
requiring some degree of atomicity, it would be possible to
interrupt the execution of this operation before it completes,
hence breaking the business logic assumptions of the web
applications designers.

Wether this vulnerability actually allows to steal millions from
widespread perl web applications has not been investigated and
won't be dulled about.


--[ Vulnerable versions:

Vulnerable : Perl version 5.10.x.

In particular, versions 5.10.1 of perl as shipped with ubuntu
10.04 and 10.10 as well as version 5.10.0 provided with OSX
10.6 are known to be vulnerable.

Non vulnerable : Perl version <= 5.10.0 OR >= 5.12.0.


--[ Disclosure timeline:

* 05/01/2011: Toucan System contacts the CERT, providing full
description and PoC samples to audit the issue.

* 10/02/2011: The CERT is able to replicate the bug under both
ubuntu 10.04 and ubuntu 10.10, and therefor forwards the PoCs
to the perl team.

* 11/02/2011: The Perl Team acknowledge the vulnerability and starts
investigating which exact versions are vulnerable.

* 11/02/2011: The CERT assigns CVE-2011-0761 to this vulnerability.

* 15/02/2011: The Perl Team notifies us that stable version 5.12.0
is not vulnerable to this bug.

* 18/04/2011: Public disclosure.


--[ Credits:

Those vulnerabilities were discovered by Jonathan Brossard from
Toucan System.


--[ About Toucan System:

Toucan System is a French computer security company providing
cutting edge research and security consulting to Fortune 500
as well as smaller companies globally, thanks to a wide range
of expertise ranging from Reverse Engineering and binary
analysis to cryptography and Risk Management.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close