ID CVE-2004-0452
Summary Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.
References
Vulnerable Configurations
  • cpe:2.3:a:larry_wall:perl:5.6.1
    cpe:2.3:a:larry_wall:perl:5.6.1
  • cpe:2.3:a:larry_wall:perl:5.8.4
    cpe:2.3:a:larry_wall:perl:5.8.4
CVSS
Base: 2.6 (as of 15-06-2005 - 10:50)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-620.NASL
    description Several vulnerabilities have been discovered in Perl, the popular scripting language. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0452 Jeroen van Wolffelaar discovered that the rmtree() function in the File::Path module removes directory trees in an insecure manner which could lead to the removal of arbitrary files and directories through a symlink attack. - CAN-2004-0976 Trustix developers discovered several insecure uses of temporary files in many modules which allow a local attacker to overwrite files via a symlink attack.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 16073
    published 2005-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16073
    title Debian DSA-620-1 : perl - insecure temporary files / directories
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-44-1.NASL
    description A race condition and possible information leak has been discovered in Perl's File::Path::rmtree(). This function changes the permission of files and directories before removing them to avoid problems with wrong permissions. However, they were made readable and writable not only for the owner, but for the entire world, which opened a race condition and a possible information leak (if the actual removal of a file/directory failed for some reason). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-25
    plugin id 20661
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20661
    title Ubuntu 4.10 : perl vulnerabilities (USN-44-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C418D4726BD111D993CA000A95BC6FAE.NASL
    description Jeroen van Wolffelaar reports that the Perl module File::Path contains a race condition wherein traversed directories and files are temporarily made world-readable/writable.
    last seen 2017-10-29
    modified 2013-06-22
    plugin id 19112
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19112
    title FreeBSD : perl -- File::Path insecure file/directory permissions (c418d472-6bd1-11d9-93ca-000a95bc6fae)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-105.NASL
    description Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2017-10-29
    modified 2016-12-28
    plugin id 16361
    published 2005-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16361
    title RHEL 3 : perl (RHSA-2005:105)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-38.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-38 (Perl: rmtree and DBI tmpfile vulnerabilities) Javier Fernandez-Sanguino Pena discovered that the DBI library creates temporary files in an insecure, predictable way (CAN-2005-0077). Paul Szabo found out that 'File::Path::rmtree' is vulnerable to various race conditions (CAN-2004-0452, CAN-2005-0448). Impact : A local attacker could create symbolic links in the temporary files directory that point to a valid file somewhere on the filesystem. When the DBI library or File::Path::rmtree is executed, this could be used to overwrite or remove files with the rights of the user calling these functions. Workaround : There are no known workarounds at this time.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 16429
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16429
    title GLSA-200501-38 : Perl: rmtree and DBI tmpfile vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-031.NASL
    description Jeroen van Wolffelaar discovered that the rmtree() function in the perl File::Path module would remove directories in an insecure manner which could lead to the removal of arbitrary files and directories via a symlink attack (CVE-2004-0452). Trustix developers discovered several insecure uses of temporary files in many modules which could allow a local attacker to overwrite files via symlink attacks (CVE-2004-0976). 'KF' discovered two vulnerabilities involving setuid-enabled perl scripts. By setting the PERLIO_DEBUG environment variable and calling an arbitrary setuid-root perl script, an attacker could overwrite arbitrary files with perl debug messages (CVE-2005-0155). As well, calling a setuid-root perl script with a very long path would cause a buffer overflow if PERLIO_DEBUG was set, which could be exploited to execute arbitrary files with root privileges (CVE-2005-0156). The provided packages have been patched to resolve these problems.
    last seen 2017-10-29
    modified 2016-08-17
    plugin id 16360
    published 2005-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16360
    title Mandrake Linux Security Advisory : perl (MDKSA-2005:031)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-103.NASL
    description Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0155 to this issue. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0452 to this issue. Users of Perl are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2017-10-29
    modified 2016-12-28
    plugin id 17187
    published 2005-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17187
    title RHEL 4 : perl (RHSA-2005:103)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_PERL-58_20131015.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. (CVE-2004-0452) - Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. (CVE-2005-0156) - Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. (CVE-2005-0448) - Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH. (CVE-2005-4278) - Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string. (CVE-2010-1158) - Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. (CVE-2011-2939) - CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. (CVE-2012-5526)
    last seen 2017-10-29
    modified 2016-08-17
    plugin id 80731
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80731
    title Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_5526_configuration_vulnerability1)
oval via4
accepted 2013-04-29T04:23:28.128-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.
family unix
id oval:org.mitre.oval:def:9938
status accepted
submitted 2010-07-09T03:56:16-04:00
title Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.
version 16
redhat via4
advisories
  • rhsa
    id RHSA-2005:103
  • rhsa
    id RHSA-2005:105
rpms
  • perl-suidperl-3:5.8.5-12.1.1
  • perl-3:5.8.5-12.1
  • perl-CGI-2:2.81-89.10
  • perl-DB_File-2:1.804-89.10
  • perl-suidperl-2:5.8.0-89.10
  • perl-CPAN-2:1.61-89.10
  • perl-2:5.8.0-89.10
refmap via4
bid 12072
bugtraq 20050111 [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl)
debian DSA-620
fedora FLSA-2006:152845
gentoo GLSA-200501-38
secunia
  • 12991
  • 18517
  • 55314
sgi 20060101-01-U
ubuntu USN-44-1
xf perl-filepathrmtree-insecure-permissions(18650)
Last major update 07-12-2016 - 21:59
Published 21-12-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top