9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
88.3%
An attacker supplies a regular expression containing one or more \xDF
characters after an escape putting the regexp into unicode matching mode, such as a \N{}
escape. Each \xDF
character adds one byte of overflow, and any other text in the regular expression is written in order, providing the attacker control over the bytes written to the overflowed region.
On 31 Jan 2018 Perl dev TonyC says in an email to the Perl security mailing list that depending on the heap implementation it may be possible to perform a nastier exploit - an attacker has almost complete control over the bytes written.
==28186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ac58 at pc 0x000000846c2d bp 0x7ffe716bc7f0 sp 0x7ffe716bc7e0
WRITE of size 1 at 0x60700000ac58 thread T0
#0 0x846c2c in S_regatom /root/perl/regcomp.c:13652
#1 0x8587f6 in S_regpiece /root/perl/regcomp.c:11708
#2 0x8587f6 in S_regbranch /root/perl/regcomp.c:11633
#3 0x88830a in S_reg /root/perl/regcomp.c:11371
#4 0x8c90dc in Perl_re_op_compile /root/perl/regcomp.c:7363
#5 0x5297d0 in Perl_pmruntime /root/perl/op.c:5888
#6 0x74d853 in Perl_yyparse /root/perl/perly.y:1210
#7 0x58b9b8 in S_parse_body /root/perl/perl.c:2450
#8 0x593622 in perl_parse /root/perl/perl.c:1753
#9 0x42eb7d in main /root/perl/perlmain.c:121
#10 0x7fba4cebe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x42fe18 in _start (/root/perl/perl+0x42fe18)
0x60700000ac58 is located 0 bytes to the right of 72-byte region [0x60700000ac10,0x60700000ac58)
allocated by thread T0 here:
#0 0x7fba4dc62602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x92dfd4 in Perl_safesysmalloc /root/perl/util.c:153
#2 0x8c6cbe in Perl_re_op_compile /root/perl/regcomp.c:7209
#3 0x5297d0 in Perl_pmruntime /root/perl/op.c:5888
#4 0x74d853 in Perl_yyparse /root/perl/perly.y:1210
#5 0x58b9b8 in S_parse_body /root/perl/perl.c:2450
#6 0x593622 in perl_parse /root/perl/perl.c:1753
#7 0x42eb7d in main /root/perl/perlmain.c:121
#8 0x7fba4cebe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/regcomp.c:13652 S_regatom
Depending on the heap implementation a remote attacker could have complete control over the bytes written to memory.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
88.3%