CVE-2016-1238 in Perlinfo

Summary

by MITRE

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/09/2022

This vulnerability exists in multiple Perl utility scripts and modules where the software fails to properly sanitize directory paths by removing trailing period characters from include directories. The flaw affects a wide range of Perl distribution tools including Archive-Tar utilities, CPAN scripts, Encode binaries, and various core Perl utilities. When these tools process modules or files, they maintain an include directory array that should be sanitized to prevent path traversal attacks. However, the failure to strip trailing periods from directory paths creates a security gap that malicious actors can exploit.

The technical implementation of this vulnerability stems from improper input validation within Perl's module loading mechanisms. When Perl processes modules from the current working directory, it incorporates directory paths into its include search array without adequately sanitizing these paths. The period character at the end of directory paths can be interpreted as a special reference to the current directory, allowing attackers to manipulate the module loading process. This creates a privilege escalation vector because the system may load malicious modules from the current working directory instead of the intended locations, effectively enabling a Trojan horse attack where attacker-controlled code gets executed with elevated privileges.

The operational impact of this vulnerability is significant for systems running affected Perl versions. Local users can leverage this weakness to execute arbitrary code with the privileges of the Perl process, which typically runs with the same permissions as the user who invoked the vulnerable script. This could lead to complete system compromise if the vulnerable Perl utilities are executed with elevated privileges. The attack requires local access but can be particularly dangerous in environments where users have access to system utilities or where Perl scripts are executed in contexts with elevated permissions. The vulnerability affects both the 5.22.x series before 5.22.3-RC2 and the 5.24.x series before 5.24.1-RC2, representing a substantial portion of Perl installations.

Security mitigations for this vulnerability include upgrading to Perl versions 5.22.3-RC2 or later, or 5.24.1-RC2 or later, where the sanitization issue has been addressed. System administrators should also implement proper access controls to limit local user access to these vulnerable utilities, particularly in multi-user environments. Additional protective measures include ensuring that Perl utilities are not executed with elevated privileges when possible, and implementing proper file system permissions to prevent unauthorized modification of the current working directory. The vulnerability aligns with CWE-22 Path Traversal and CWE-78 Improper Neutralization of Special Elements used in OS Command Injection, and can be mapped to ATT&CK technique T1059 Command and Scripting Interpreter for privilege escalation scenarios. Organizations should also consider implementing application whitelisting policies that restrict execution of potentially vulnerable Perl scripts in critical system environments.

Reservation

12/27/2015

Disclosure

08/02/2016

Moderation

accepted

Entry

VDB-90365

CPE

ready

EPSS

0.00779

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!