Vigil@nce - Perl: inconsistency of environment variables
May 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create an environment with duplicates, in order to
bypass the Taint Mechanism of Perl.
Impacted products: Debian, Fedora, openSUSE, Perl Core, Ubuntu.
Severity: 2/4.
Creation date: 01/03/2016.
DESCRIPTION OF THE VULNERABILITY
The Perl language can be used to access to environment variables,
with to two methods:
$ENV"VAR"
getenv("VAR")
However, if the same variable is present several times in the
environment:
– %ENV returns the last one
– getenv() returns the first one
The Taint feature of Perl, which marks untrusted data, is applied
on the values of %ENV. So, if a program uses getenv(), it obtains
the first value, which is not Tainted.
An attacker can therefore create an environment with duplicates,
in order to bypass the Taint Mechanism of Perl.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Perl-inconsistency-of-environment-variables-19062