‘File-Find-Object Format String Vulnerability’

Published on October 27th, 2008
Summary

File::Find::Object is ‘an object-oriented and iterative replacement for File::Find. I.e: it is a module for traversing a directory tree, and finding all the files contained within it programatically’. A format string vulnerability in File-Find-Object allows local attackers to cause the program to execute arbitrary code by causing the product to go into a loop where it will try and print out the looping directory without providing a format string.’

Credit:

‘The information has been provided by Shlomi Fish.’


Details

Vulnerable Systems:
 * File-File-Object version 0.1.0

Immune Systems:
 * File-File-Object version 0.1.1

The offending code in F-F-O-0.1.0 was this:

{{{{{{{{
    if ($rc) {
        printf(STDERR ‘Avoid loop ‘ . $self->_father($ptr)->dir() . ‘
-> %sn’,
            $self->_current_path($current));
        return 0;
    }
}}}}}}}}

As one can see $self->_father($ptr)->dir() is included directly in the printf-format, which may cause a lot of unexpected behavior. There was a Perl-sprintf vulnerability a while ago, in which the Perl interpreter mis-handled some badly formatted sprintf-values, and in general letting the user input stuff directly into the printf-format field is not such a good idea.

->dir() is encountered in the directory tree that File-Find-Object traverses.’

Categories: UNIX
Tags:

Related Posts

UNIX

‘ProFTPD Response Pool Use-After-Free Code Execution Vulnerability’

'This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server.'

UNIX

‘Insight Control for Linux Multiple Vulnerabilities’

'Remote unauthorized elevation of privilege, execution of arbitrary code, encryption downgrade, information disclosure and Denial of Service (DoS) vulnerabilities were identified in Insight Control for Linux.'

UNIX

‘HP-UX Running NFS/ONCplus Denial of Service Vulnerability’

'A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX.'