[UNIX] File-Find-Object Format String Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 27 Oct 2008 17:58:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
File-Find-Object Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://search.cpan.org/src/SHLOMIF/> File::Find::Object is "an
object-oriented and iterative replacement for File::Find. I.e: it is a
module for traversing a directory tree, and finding all the files
contained within it programatically". A format string vulnerability in
File-Find-Object allows local attackers to cause the program to execute
arbitrary code by causing the product to go into a loop where it will try
and print out the looping directory without providing a format string.
DETAILS
Vulnerable Systems:
* File-File-Object version 0.1.0
Immune Systems:
* File-File-Object version 0.1.1
The offending code in F-F-O-0.1.0 was this:
{{{{{{{{
if ($rc) {
printf(STDERR "Avoid loop " . $self->_father($ptr)->dir() . "
-> %s\n",
$self->_current_path($current));
return 0;
}
}}}}}}}}
As one can see $self->_father($ptr)->dir() is included directly in the
printf-format, which may cause a lot of unexpected behavior. There was a
Perl-sprintf vulnerability a while ago, in which the Perl interpreter
mis-handled some badly formatted sprintf-values, and in general letting
the user input stuff directly into the printf-format field is not such a
good idea.
->dir() is encountered in the directory tree that File-Find-Object
traverses.
ADDITIONAL INFORMATION
The information has been provided by <mailto:shlomif@xxxxxxxxxxx> Shlomi
Fish.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6
- Next by Date: [EXPL] PacketTrap TFTPD DoS
- Previous by thread: [NT] Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6
- Next by thread: [EXPL] PacketTrap TFTPD DoS
- Index(es):
Relevant Pages
|
