ID CVE-2016-6185
Summary The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
References
Vulnerable Configurations
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Perl
    cpe:2.3:a:perl:perl
  • Fedora 22
    cpe:2.3:o:fedoraproject:fedora:22
  • Fedora Project Fedora 23
    cpe:2.3:o:fedoraproject:fedora:23
  • Fedora 24
    cpe:2.3:o:fedoraproject:fedora:24
CVSS
Base: 4.6 (as of 03-08-2016 - 13:18)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3625-1.NASL
    description It was discovered that Perl incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause Perl to hang, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-8853) It was discovered that Perl incorrectly loaded libraries from the current working directory. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6185) It was discovered that Perl incorrectly handled the rmtree and remove_tree functions. A local attacker could possibly use this issue to set the mode on arbitrary files. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-6512) Brian Carpenter discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue has only been addressed in Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-6797) Nguyen Duc Manh discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-6798) GwanYeong Kim discovered that Perl incorrectly handled certain data when using the pack function. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-6913). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 109086
    published 2018-04-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109086
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : perl vulnerabilities (USN-3625-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-485DFF6060.NASL
    description This fixes CVE-2016-6185 vulnerability (do not let XSLoader load relative paths). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92386
    published 2016-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92386
    title Fedora 24 : 4:perl (2016-485dff6060)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3E08047F5A6C11E6A6C314DAE9D210B8.NASL
    description Jakub Wilk reports : XSLoader tries to load code from a subdirectory in the cwd when called inside a string eval
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92739
    published 2016-08-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92739
    title FreeBSD : p5-XSLoader -- local arbitrary code execution (3e08047f-5a6c-11e6-a6c3-14dae9d210b8)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-75.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-75 (Perl: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Perl. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or escalate privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-06-01
    plugin id 96861
    published 2017-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96861
    title GLSA-201701-75 : Perl: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2246-1.NASL
    description This update for perl fixes the following issues : - CVE-2016-6185: xsloader looking at a '(eval)' directory [bsc#988311] - CVE-2016-1238: searching current directory for optional modules [bsc#987887] - CVE-2015-8853: regex engine hanging on bad utf8 [bnc976584] - CVE-2016-2381: environment dup handling bug [bsc#967082] - perl panic with utf8_mg_pos_cache_update [bsc#929027] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93371
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93371
    title SUSE SLES11 Security Update : perl (SUSE-SU-2016:2246-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2263-1.NASL
    description This update for Perl fixes the following issues : - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93437
    published 2016-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93437
    title SUSE SLED12 / SLES12 Security Update : perl (SUSE-SU-2016:2263-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-742BDE2BE7.NASL
    description This fixes CVE-2016-6185 vulnerability (do not let XSLoader load relative paths). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92388
    published 2016-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92388
    title Fedora 23 : 4:perl (2016-742bde2be7)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-565.NASL
    description Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2016-1238 John Lightsey and Todd Rinaldo reported that the opportunistic loading of optional modules can make many programs unintentionally load code from the current working directory (which might be changed to another directory without the user realising) and potentially leading to privilege escalation, as demonstrated in Debian with certain combinations of installed packages. The problem relates to Perl loading modules from the includes directory array ('@INC') in which the last element is the current directory ('.'). That means that, when 'perl' wants to load a module (during first compilation or during lazy loading of a module in run- time), perl will look for the module in the current directory at the end, since '.' is the last include directory in its array of include directories to seek. The issue is with requiring libraries that are in '.' but are not otherwise installed. With this update several modules which are known to be vulnerable are updated to not load modules from current directory. Additionally the update allows configurable removal of '.' from @INC in /etc/perl/sitecustomize.pl for a transitional period. It is recommended to enable this setting if the possible breakage for a specific site has been evaluated. Problems in packages provided in Debian resulting from the switch to the removal of '.' from @INC should be reported to the Perl maintainers at perl@packages.debian.org . CVE-2016-6185 It was discovered that XSLoader, a core module from Perl to dynamically load C libraries into Perl code, could load shared library from incorrect location. XSLoader uses caller() information to locate the .so file to load. This can be incorrect if XSLoader::load() is called in a string eval. An attacker can take advantage of this flaw to execute arbitrary code. For Debian 7 'Wheezy', these problems have been fixed in version 5.14.2-21+deb7u4. We recommend that you upgrade your perl packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 92613
    published 2016-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92613
    title Debian DLA-565-1 : perl security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1086.NASL
    description This update for Perl fixes the following issues : - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93583
    published 2016-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93583
    title openSUSE Security Update : perl (openSUSE-2016-1086)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3628.NASL
    description Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2016-1238 John Lightsey and Todd Rinaldo reported that the opportunistic loading of optional modules can make many programs unintentionally load code from the current working directory (which might be changed to another directory without the user realising) and potentially leading to privilege escalation, as demonstrated in Debian with certain combinations of installed packages. The problem relates to Perl loading modules from the includes directory array ('@INC') in which the last element is the current directory ('.'). That means that, when 'perl' wants to load a module (during first compilation or during lazy loading of a module in run time), perl will look for the module in the current directory at the end, since '.' is the last include directory in its array of include directories to seek. The issue is with requiring libraries that are in '.' but are not otherwise installed. With this update several modules which are known to be vulnerable are updated to not load modules from current directory. Additionally the update allows configurable removal of '.' from @INC in /etc/perl/sitecustomize.pl for a transitional period. It is recommended to enable this setting if the possible breakage for a specific site has been evaluated. Problems in packages provided in Debian resulting from the switch to the removal of '.' from @INC should be reported to the Perl maintainers at perl@packages.debian.org . It is planned to switch to the default removal of '.' in @INC in a subsequent update to perl via a point release if possible, and in any case for the upcoming stable release Debian 9 (stretch). - CVE-2016-6185 It was discovered that XSLoader, a core module from Perl to dynamically load C libraries into Perl code, could load shared library from incorrect location. XSLoader uses caller() information to locate the .so file to load. This can be incorrect if XSLoader::load() is called in a string eval. An attacker can take advantage of this flaw to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92548
    published 2016-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92548
    title Debian DSA-3628-1 : perl - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-EB2592245B.NASL
    description This fixes CVE-2016-6185 vulnerability (do not let XSLoader load relative paths). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92335
    published 2016-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92335
    title Fedora 22 : 4:perl (2016-eb2592245b)
refmap via4
bid 91685
confirm
debian DSA-3628
fedora
  • FEDORA-2016-485dff6060
  • FEDORA-2016-742bde2be7
  • FEDORA-2016-eb2592245b
gentoo GLSA-201701-75
mlist
  • [oss-security] 20160707 CVE Request: perl: XSLoader: could load shared library from incorrect location
  • [oss-security] 20160708 Re: CVE Request: perl: XSLoader: could load shared library from incorrect location
sectrack 1036260
ubuntu
  • USN-3625-1
  • USN-3625-2
Last major update 28-11-2016 - 15:30
Published 02-08-2016 - 10:59
Last modified 01-05-2018 - 21:29
Back to Top