Bug 2249525 (CVE-2023-47039) - CVE-2023-47039 perl: Perl for Windows binary hijacking vulnerability
Summary: CVE-2023-47039 perl: Perl for Windows binary hijacking vulnerability
Keywords:
Status: NEW
Alias: CVE-2023-47039
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2249528
TreeView+ depends on / blocked
 
Reported: 2023-11-13 16:55 UTC by Mauro Matteo Cascella
Modified: 2024-01-02 05:18 UTC (History)
1 user (show)

Fixed In Version: perl 5.32.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-11-13 16:55:33 UTC
Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory.

An attacker with limited privileges can exploit this behavior by placing `cmd.exe` in locations with weak permissions, such as `C:\ProgramData`. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.


Note You need to log in before you can comment on or make changes to this bug.