Vigil@nce - Perl: out-of-bounds memory reading via VDir-MapPath
June 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a read at an invalid address in
VDir::MapPath of Perl, in order to trigger a denial of service, or
to obtain sensitive information.
– Impacted products: Perl Core.
– Severity: 2/4.
– Creation date: 12/04/2016.
DESCRIPTION OF THE VULNERABILITY
The Perl product uses the VDir::MapPathA() and VDir::MapPathW()
methods to process Windows paths (such as "c:\windows").
The ’:’ character is detected at the second position. However, if
the first position contains a character outside the a-z range,
such as ’!’, an offset too large is used, and these functions try
to read a memory area located outside the expected range, which
triggers a fatal error, or leads to the disclosure of a memory
fragment.
An attacker can therefore force a read at an invalid address in
VDir::MapPath of Perl, in order to trigger a denial of service, or
to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Perl-out-of-bounds-memory-reading-via-VDir-MapPath-19351