9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
72.9%
There exists an integer overflow in Perl_my_setenv @ util.c : 2070
2070: void Perl_my_setenv(pTHX_ const char *nam, const char val) {
…
2166: const int nlen = strlen(nam);
…
2171: vlen = strlen(val);
2172: new_env = (char)safesysmalloc((nlen + vlen + 2) * sizeof(char));
Here in a 64 bit version of Perl, since the arguments nam
and val
are user controlled, the 32 bit integers nlen
and vlen
are also under the control of the attacker. Therefore, if nam
and val
are two very long strings (for example, 2147483647 bytes long), the addition at line 2172 would result in an integer overflow.
The new_env
would therefore be a chunk of a size which is smaller than the sum of the lengths of the two input strings.
This new_env
is subsequently used in a call to memcpy
to copy nlen
bytes from nam
followed by vlen
bytes from val
.
This results in a buffer overflow on the heap with attacker controlled input.
Please find attached a PoC which demonstrates the buffer overflow. Please note that the attached PoC consumes large amounts of memory and results in a segmentation fault on a 64 bit Ubuntu 16.04 system running a 64 bit version of perl.
This segmentation fault occurs due to the fact that the memcpy
tries to write outside the initial heap boundary.
This vulnerability has been recognised as a serious security issue and has been assigned the identifier CVE-2018-18311 by the developers.
Memory corruption with attacker controlled input which can lead to arbitrary code execution
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
72.9%