Next Page >>
regular expression
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer overflow in the Regular Expression engine in Perl possibly
allows for the execution of arbitrary code.
Background
==========
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate a
denial-of-service by passing certain regular expressions in SQL queries.
First, users could create infinite loops using some specific regular
expressions. Second, certain complex regular expressions could consume
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate
a denial-of-service by passing certain regular expressions in SQL
queries. First, users could create infinite loops using some specific
regular expressions. Second, certain complex regular expressions
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate
a denial-of-service by passing certain regular expressions in SQL
queries. First, users could create infinite loops using some specific
regular expressions. Second, certain complex regular expressions
======================================================================
Secunia Research 30/03/2010
- ViewVC Regular Expression Search Cross-Site Scripting -
======================================================================
Table of Contents
Affected Software....................................................1
~ b. Python
~ Chris Evans of the Google security research team discovered an
~ integer overflow issue with the way Python's Perl-Compatible
~ Regular Expression (PCRE) module handled certain regular
~ expressions. If a Python application used the PCRE module to
~ compile and execute untrusted regular expressions, it might be
~ possible to cause the application to crash, or to execute
~ arbitrary code with the privileges of the Python interpreter.
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116
Description:
Previous versions of the perl package contain a buffer overflow in the
regular expression parsing code which could allow an attacker to execute
arbitrary code via a program which uses perl to parse untrusted input as a
regular expression.
Foresight Linux does not include any such program by default.
for the execution of arbitrary code and a Denial of Service.
Background
==========
PCRE is a Perl-compatible regular expression library. GLib includes a
copy of PCRE.
Affected packages
=================
Debian-specific: no
CVE Ids : CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662
CVE-2007-4766 CVE-2007-4767 CVE-2007-4768
Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.
Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
Alex Roichman wrote:
> Checkmarx Research Lab presents a new attack vector on Web applications. By
> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
> attacker can make a Web application unavailable to its intended users. ReDoS
> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
> from Checkmarx show how serious it is and how using this technique, various
> applications can be “ReDoSed”. These include, among others, Server-side of
> Web applications and Client-side Browsers. The art of attacking the Web by
> ReDoS is by finding inputs which cannot be matched by Regexes and on these
> Regexes a Regex-based Web systems get stuck.
_______________________________________________________________________
Problem Description:
Tavis Ormandy and Will Drewry discovered a flaw in Perl's regular
expression engine. Specially crafted input to a regular expression can
cause Perl to improperly allocate memory, resulting in the possible
execution of arbitrary code with the permissions of the user running
Perl.
Updated packages have been patched to prevent these issues.
Hi Thierry,
> With all due respect - this is known to be a vulnerability
> class since over a century.
The referenced web page is titled, "ReDoS (Regular Expression Denial
of Service) Revisited". The authors cite work as early as 2003 in
their paper.
> Can we please stop the attitude of inventing
> acronyms for vulnerabilites, ...
Original URL:
http://securityreason.com/achievement_securityalert/102
--- 0.Description ---
regcomp() compiles the regular expression contained in the pattern string, subject to the flags in cflags, and places the results in the regex_t structure pointed to by preg.
cflags is the bitwise OR of zero or more of the following flags:
REG_EXTENDED
Compile modern (extended) REs, rather than the obsolete (basic) REs that are the default.
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
vulnerabilities were found: Cross-Site Scripting and Cross-Site Request Forgery.
[*] Cross-Site Scripting (XSS):
This vulnerability it's produced by a "typo" in the function validateGeneriInput(), where the
extraction of characters < and > fails because the regular expression in charge of the extraction
it's invalid.
+++includes/registerglobals.inc.php @@ 1088:1102
1088 function validateGenericInput($input) {
1089
earlier versions.
Details follow:
Tavis Ormandy and Will Drewry discovered multiple flaws in the regular
expression handling of PCRE. By tricking a user or service into running
specially crafted expressions via applications linked against libpcre3,
a remote attacker could crash the application, monopolize CPU resources,
or possibly execute arbitrary code with the application's privileges.
name.
GE> Alex Roichman wrote:
>> Checkmarx Research Lab presents a new attack vector on Web applications. By
>> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
>> attacker can make a Web application unavailable to its intended users. ReDoS
>> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
>> from Checkmarx show how serious it is and how using this technique, various
>> applications can be “ReDoSed”. These include, among others, Server-side of
>> Web applications and Client-side Browsers. The art of attacking the Web by
Debian-specific: no
Debian bug : #550457
CVE ID : None yet
The forms library of python-django, a high-level Python web development
framework, is using a badly chosen regular expression when validating
email addresses and URLs. An attacker can use this to perform denial
of service attacks (100% CPU consumption) due to bad backtracking
via a specially crafted email address or URL which is validated by the
django forms library.
Possible code injection in setup script, in case session
variables are compromised.
CVE-2011-2507
Regular expression quoting issue in Synchronize code.
CVE-2011-2508
Possible directory traversal in MIME-type transformation.
identifies the following problems:
CVE-2009-2404
Moxie Marlinspike discovered that a buffer overflow in the regular
expression parser could lead to the execution of arbitrary code.
CVE-2009-2408
Dan Kaminsky discovered that NULL characters in certificate
names could lead to man-in-the-middle attacks by tricking the user
Description
===========
Tavis Ormandy and Will Drewry of the Google Security Team have reported
a double free vulnerability when processing a crafted regular
expression containing UTF-8 characters.
Impact
======
A remote attacker could possibly exploit this vulnerability to execute
170. // If the user specified a more specialized regex
171. if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
172. $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf );
173. }
input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent
execution of arbitrary PHP code using the 'e' modifier in a call to preg_replace() at line 172.
But this check could be bypassed with a null byte injection, requesting an URL like this:
http://<hostname>/tiki-8.2/snarf_ajax.php?url=1®exres=phpinfo()®ex=//e%00/
Description
===========
Daniel B. Cid discovered that DenyHosts used an incomplete regular
expression to parse failed login attempts, a different issue than GLSA
200701-01.
Impact
======
arbitrary setuid binaries via a symlink attack. This is a regression
related to CVE-2005-0448.
Additionally a double free vulnerability exists that allows
context-dependent attackers to cause a denial of service via a
crafted regular expression containing UTF8 characters.
http://wiki.rpath.com/Advisories:rPSA-2009-0011
Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674
Description:
Previous versions of the pcre package are vulnerable to a possible
Arbitrary Code Execution attack in which an attacker may use a
maliciously crafted regular expression to trigger a buffer overflow.
The pcre library and utilities are not known to be exposed via any
privileged or remote interfaces within rPath Linux by default, but many
applications linked to the pcre library are routinely exposed to remote
or untrusted data; examples include httpd, some PHP applications, and
- --- 0.Description ---
The GNU C library is used as the C library in the GNU system and most systems with the Linux kernel.
# define RE_DUP_MAX (0x7fff)
regcomp() is used to compile a regular expression into a form that is suitable for subsequent regexec() searches.
- --- 1. RE_DUP_MAX overflow ---
The main problem exists in regcomp(3) function of GNU libc implementation. Let`s try understand..
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-5116
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.
For the stable distribution (etch), this problem has been fixed in
version 5.8.8-7etch1.
Problem Description:
A double free vulnerability in Perl 5.8.8 and earlier versions,
allows context-dependent attackers to cause a denial of service
(memory corruption and crash) via a crafted regular expression
containing UTF8 characters.
The updated packages have been patched to prevent this.
_______________________________________________________________________
>
>
> GE> Alex Roichman wrote:
>>> Checkmarx Research Lab presents a new attack vector on Web applications. By
>>> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
>>> attacker can make a Web application unavailable to its intended users. ReDoS
>>> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
>>> from Checkmarx show how serious it is and how using this technique, various
>>> applications can be “ReDoSed”. These include, among others, Server-side of
>>> Web applications and Client-side Browsers. The art of attacking the Web by
Next Page>>
|
