Next Page >>
regular expressions
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate
a denial-of-service by passing certain regular expressions in SQL
queries. First, users could create infinite loops using some specific
regular expressions. Second, certain complex regular expressions
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate a
denial-of-service by passing certain regular expressions in SQL queries.
First, users could create infinite loops using some specific regular
expressions. Second, certain complex regular expressions could consume
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate
a denial-of-service by passing certain regular expressions in SQL
queries. First, users could create infinite loops using some specific
regular expressions. Second, certain complex regular expressions
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer overflow in the Regular Expression engine in Perl possibly
allows for the execution of arbitrary code.
Background
==========
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
Debian-specific: no
CVE Ids : CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662
CVE-2007-4766 CVE-2007-4767 CVE-2007-4768
Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.
Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
======================================================================
Secunia Research 30/03/2010
- ViewVC Regular Expression Search Cross-Site Scripting -
======================================================================
Table of Contents
Affected Software....................................................1
Original URL:
http://securityreason.com/achievement_securityalert/102
--- 0.Description ---
regcomp() compiles the regular expression contained in the pattern string, subject to the flags in cflags, and places the results in the regex_t structure pointed to by preg.
cflags is the bitwise OR of zero or more of the following flags:
REG_EXTENDED
Compile modern (extended) REs, rather than the obsolete (basic) REs that are the default.
Alex Roichman wrote:
> Checkmarx Research Lab presents a new attack vector on Web applications. By
> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
> attacker can make a Web application unavailable to its intended users. ReDoS
> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
> from Checkmarx show how serious it is and how using this technique, various
> applications can be “ReDoSed”. These include, among others, Server-side of
> Web applications and Client-side Browsers. The art of attacking the Web by
> ReDoS is by finding inputs which cannot be matched by Regexes and on these
> Regexes a Regex-based Web systems get stuck.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0172
Description:
Previous versions of the boost package are vulnerable to multiple
Denials of Service in which attackers may use invalid regular
expressions to trigger crashes in applications that use the boost
regular expression library.
http://wiki.rpath.com/Advisories:rPSA-2008-0063
Copyright 2008 rPath, Inc.
Attack Vector: remote network
Attack Impact: arbitrary code execution
Description:
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in the regular expression
compiler of the Perl [0] programming language, probably allowing
attackers to execute arbitrary code by compiling specially crafted
regular expressions. The bug manifests in a possible buffer overflow
in the polymorphic "opcode" support code, caused by ASCII regular
expressions that really are Unicode regular expressions.
[... logical flow of the code then jumps to line 181 ...]
*181 exe "setf " . b:asmsyntax
[... or line 1267 ...]
*1267 exe "setf " . b:asmsyntax
Patch 7.1.300 changed the regular expression in the substitute() call on
line 190:
let b:asmsyntax = substitute(head,
'.*\sasmsyntax=\([a-zA-Z0-9]\+\)\s.*','\1', "")
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-5116
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in Perl's regular expression
compiler, probably allowing attackers to execute arbitrary code by
compiling specially crafted regular expressions.
For the stable distribution (etch), this problem has been fixed in
version 5.8.8-7etch1.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116
Description:
Previous versions of the perl package contain a buffer overflow in the
regular expression parsing code which could allow an attacker to execute
arbitrary code via a program which uses perl to parse untrusted input as a
regular expression.
Foresight Linux does not include any such program by default.
3. Problem description:
~ a. Updated pcre Service Console package addresses several security issues
~ The pcre package contains the Perl-Compatible Regular Expression library.
~ pcre is used by various Service Console utilities.
~ Several security issues were discovered in the way PCRE handles
~ regular expressions. If an application linked against PCRE parsed a
~ malicious regular expression, it may have been possible to run
~ b. Python
~ Chris Evans of the Google security research team discovered an
~ integer overflow issue with the way Python's Perl-Compatible
~ Regular Expression (PCRE) module handled certain regular
~ expressions. If a Python application used the PCRE module to
~ compile and execute untrusted regular expressions, it might be
~ possible to cause the application to crash, or to execute
~ arbitrary code with the privileges of the Python interpreter.
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-2371
Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular
Expression library, may encounter a heap overflow condition when
compiling certain regular expressions involving in-pattern options and
branches, potentially leading to arbitrary code execution.
For the stable distribution (etch), this problem has been fixed in
version 6.7+7.4-4.
Background
==========
Boost is a set of C++ libraries, including the Boost.Regex library to
process regular expressions.
Affected packages
=================
-------------------------------------------------------------------
Several vulnerabilitites were found in PHP:
* PHP ships a vulnerable version of the PCRE library which allows for
the circumvention of security restrictions or even for remote code
execution in case of an application which accepts user-supplied
regular expressions (CVE-2008-0674).
* Multiple crash issues in several PHP functions have been
discovered.
* Ryan Permeh reported that the init_request_info() function in
- --- 0.Description ---
The GNU C library is used as the C library in the GNU system and most systems with the Linux kernel.
# define RE_DUP_MAX (0x7fff)
regcomp() is used to compile a regular expression into a form that is suitable for subsequent regexec() searches.
- --- 1. RE_DUP_MAX overflow ---
The main problem exists in regcomp(3) function of GNU libc implementation. Let`s try understand..
_______________________________________________________________________
Problem Description:
Tavis Ormandy and Will Drewry discovered a flaw in Perl's regular
expression engine. Specially crafted input to a regular expression can
cause Perl to improperly allocate memory, resulting in the possible
execution of arbitrary code with the permissions of the user running
Perl.
Updated packages have been patched to prevent these issues.
Hi Thierry,
> With all due respect - this is known to be a vulnerability
> class since over a century.
The referenced web page is titled, "ReDoS (Regular Expression Denial
of Service) Revisited". The authors cite work as early as 2003 in
their paper.
> Can we please stop the attitude of inventing
> acronyms for vulnerabilites, ...
for the execution of arbitrary code and a Denial of Service.
Background
==========
PCRE is a Perl-compatible regular expression library. GLib includes a
copy of PCRE.
Affected packages
=================
legitimate URL and then use document.write() to place content within
the new document, appearing to have come from the spoofed location
(CVE-2009-2654).
Moxie Marlinspike reported a heap overflow vulnerability in the
code that handles regular expressions in certificate names. This
vulnerability could be used to compromise the browser and run arbitrary
code by presenting a specially crafted certificate to the client
(CVE-2009-2404).
IOActive security researcher Dan Kaminsky reported a mismatch in the
static code injection attacks by leveraging the ability to modify
the SESSION superglobal array (CVE-2011-2506).
libraries/server_synchronize.lib.php in the Synchronize implementation
in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not
properly quote regular expressions, which allows remote authenticated
users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and
consequently execute arbitrary PHP code, by leveraging the ability
to modify the SESSION superglobal array (CVE-2011-2507).
Directory traversal vulnerability in libraries/display_tbl.lib.php
_______________________________________________________________________
Problem Description:
Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371).
Thanks to the discussion with kuza55, evilaliv3 and Wisec, 3 main uses
of this attack vector were identified:
- Blacklist bypass on write functions (file editors, file writing, etc)
- Blacklist bypass on read functions (source disclosure, etc)
- Regular expressions and IDS/IPS signature evasion
The wrong assumption was that this behaviour was filesystem dependent,
as said it turned out to be dependent on witch PHP version (patched VS
non-patched) was installed.
necessary changes.
Details follow:
Will Drewry and Tavis Ormandy discovered that the boost library
did not properly perform input validation on regular expressions.
An attacker could send a specially crafted regular expression to
an application linked against boost and cause a denial of service
via application crash.
Description
===========
Will Drewry (Google Security) reported a vulnerability in the regular
expression engine when using back references to capture \0 characters
(CVE-2007-4770). He also found that the backtracking stack size is not
limited, possibly allowing for a heap-based buffer overflow
(CVE-2007-4771).
Impact
Next Page>>
|
