CVE-2012-5377 in ActivePerl
Summary
by MITRE
Untrusted search path vulnerability in the installation functionality in ActivePerl 5.16.1.1601, when installed in the top-level C:\ directory, allows local users to gain privileges via a Trojan horse DLL in the C:\Perl\Site\bin directory, which is added to the PATH system environment variable, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/16/2025
The vulnerability described in CVE-2012-5377 represents a classic untrusted search path issue that exploits the trust relationship between system components and their expected library locations. This flaw exists within ActivePerl 5.16.1.1601 installation functionality when deployed in the top-level C:\ directory, creating a dangerous privilege escalation vector for local attackers. The vulnerability stems from the installation process adding the C:\Perl\Site\bin directory to the system PATH environment variable without proper validation or sanitization of the directory contents, allowing malicious actors to place Trojan horse DLLs in this location.
The technical implementation of this vulnerability leverages the Windows DLL loading mechanism where the system searches for required libraries in the order specified by the PATH variable. When ActivePerl installs in the root directory, it adds a path that gets prioritized in the search order, making it susceptible to manipulation. The specific demonstration involves a Trojan horse wlbsctrl.dll file that mimics a legitimate system component used by the "IKE and AuthIP IPsec Keying Modules" system service, which runs with elevated privileges in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview environments. This particular DLL name and service relationship creates a perfect storm for privilege escalation since the legitimate system service expects to find this specific DLL in its expected location.
The operational impact of this vulnerability is significant as it allows local users to escalate their privileges to the SYSTEM level through a relatively simple attack vector. The attacker needs only to place a malicious DLL in the C:\Perl\Site\bin directory, which will be loaded automatically by the system service that expects the legitimate wlbsctrl.dll file. This vulnerability aligns with CWE-427 Uncontrolled Search Path Element, which specifically addresses the issue of applications searching for libraries in untrusted directories. The attack demonstrates how poor installation practices combined with inadequate PATH validation can create persistent privilege escalation opportunities that remain undetected for extended periods.
Mitigation strategies for this vulnerability should focus on proper installation path management and PATH environment variable sanitization. System administrators should avoid installing software in the root directory and instead use dedicated installation directories with proper access controls. The PATH environment variable should be carefully managed to prevent the addition of directories containing untrusted code, particularly those that might be writable by non-privileged users. This vulnerability also highlights the importance of implementing least privilege principles and regular security audits of system PATH configurations. Organizations should consider implementing application whitelisting solutions that prevent execution of unauthorized DLLs and regularly monitor for suspicious PATH modifications. The ATT&CK framework categorizes this as privilege escalation through DLL hijacking, which is a well-documented technique that requires proper system hardening to prevent exploitation. This vulnerability underscores the critical need for secure coding practices and installation procedures that minimize the attack surface available to local adversaries.