Full Disclosure mailing list archives
[Security Bug] Perl's CPANPLUS.pm Creates World-writable Files
From: "Shlomi Fish" <shlomif () gmail com>
Date: Sat, 11 Oct 2008 16:52:23 +0200
Hi all. As reported here: http://rt.cpan.org/Public/Bug/Display.html?id=39516 And discussed here: http://www.nntp.perl.org/group/perl.qa/2008/09/msg11582.html <<< CPANPLUS will happily unpack and continue to build distributions that contain world-writable files, including program files that are executed by Perl. By writing to these world-writable programs, a malicious user will be able to execute arbitrary code as the user running the CPANPLUS process. After smoking CPANPLUS as user "cpan", I got the following errors from Mandriva's msec process: {{{{{{{{ /home/cpan/.cpanplus/5.10.0/build/Data-Dump-Streamer-2.08-40/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Digest-JHash-0.05/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Getopt-ArgvFile-1.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/HTML-Scrubber-0.08/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Kephra-0.3.10.11/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/Readonly-1.03/Makefile.PL /home/cpan/.cpanplus/5.10.0/build/OOTools-2.21/Makefile.PL }}}}}}}} Each of these is a world-writable file, and each of these gets executed after the unpacking stage. A malicious user can append something like qq{system('rm -fr /');} there while the archive is unpacking, and so I'll lose all the files on my system. CPANPLUS should check for any world-writable files, and if they exist - refuse to build the distribution.
Regards, -- Shlomi Fish ------------------------------------------ Shlomi Fish http://www.shlomifish.org/ Electrical Engineering studies. In the Technion. Been there. Done that. Forgot a lot. Remember too much. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Security Bug] Perl's CPANPLUS.pm Creates World-writable Files Shlomi Fish (Oct 11)