CVE-2014-1604 in RPLY
Summary
by MITRE
The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/01/2022
The vulnerability identified as CVE-2014-1604 resides within the parser cache mechanism of RPLY, a Python library used for parsing and generating parsers. This issue affects versions prior to 0.7.1 and represents a significant security flaw that can be exploited by local attackers to manipulate parser behavior through cache poisoning techniques. The vulnerability specifically targets the temporary file handling mechanism within the parsergenerator.py module where cache data is stored and retrieved during parser operations.
The technical flaw stems from the predictable naming convention used for temporary cache files in RPLY's implementation. When the parser cache functionality is enabled, the system creates temporary files with names following the pattern rply-*.json where the asterisk represents a predictable identifier. Local attackers can exploit this predictability by pre-creating these temporary files with malicious content before the legitimate parser process attempts to use them. This pre-creation allows attackers to inject arbitrary data into the parser cache, effectively spoofing legitimate cache entries and potentially influencing parser behavior or execution flow.
This vulnerability has significant operational impact within software development and deployment environments where RPLY is utilized for parsing operations. The cache poisoning attack can lead to various security consequences including arbitrary code execution, data corruption, or manipulation of parsing results that could affect downstream applications. The local privilege escalation aspect means that any user with access to the system can potentially exploit this vulnerability, making it particularly dangerous in multi-user environments or when the affected applications run with elevated privileges. The attack vector is relatively simple and does not require network access or complex exploitation techniques, making it accessible to a broad range of threat actors.
The vulnerability aligns with CWE-352 (Cross-Site Request Forgery) and CWE-22 (Path Traversal) categories, representing a form of cache poisoning that exploits predictable temporary file names to manipulate application state. From an ATT&CK perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: Python) and T1566 (Phishing) as it can be leveraged in broader attack chains where local privilege escalation leads to further system compromise. The vulnerability also demonstrates characteristics of T1499.004 (Network Denial of Service) when considering potential DoS scenarios that could arise from corrupted parser cache data.
Mitigation strategies for CVE-2014-1604 involve upgrading to RPLY version 0.7.1 or later, which implements proper temporary file handling with unpredictable naming conventions and secure file creation mechanisms. Organizations should also implement proper file system permissions and access controls to limit the ability of local users to create files in directories where RPLY cache files might be stored. Additionally, system administrators should monitor for unusual temporary file creation patterns and implement security controls to prevent unauthorized file manipulation in application runtime environments. The fix typically involves using secure temporary file creation methods such as os.tmpfile() or similar atomic operations that prevent predictable naming and ensure proper file isolation during parser cache operations.