CVE-2005-0077

Vulnerability

The DBI library (libdbi-perl) for Perl, in versions prior to 1.42-3ubuntu0.1 (Ubuntu) and corresponding versions in other distributions, creates a PID file in an insecure manner with a predictable name. The DBI::ProxyServer module writes this file without checking for an existing symbolic link. Affected package versions include libdbi-perl 1.42 and earlier (Ubuntu 4.10) and dev-perl/DBI on Gentoo [1][2][3].

Exploitation

A local attacker with the ability to create symbolic links in the directory where the PID file is written (typically /tmp or the current working directory) can pre-create a symlink pointing to an arbitrary target file. When a user or script invokes a program using the vulnerable module (such as dbiproxy), the DBI library follows the symlink and overwrites the target file with the privileges of the user running the program. No authentication or user interaction beyond normal program execution is required; the attacker needs only to have write access to the temporary directory [2][3].

Impact

Successful exploitation allows the attacker to overwrite any arbitrary file on the system that the target user has permission to modify. This can lead to privilege escalation, denial of service, or data corruption, depending on the file targeted (e.g., overwriting /etc/passwd, a configuration file, or a user's data files) [1][2].

Mitigation

The issue is fixed in libdbi-perl version 1.42-3ubuntu0.1 for Ubuntu 4.10 (released 2005-01-25) [2] and in dev-perl/DBI 1.46 for Gentoo (released 2005-01-31) [3]. Red Hat also released an erratum (RHSA-2005:072) for affected versions [1]. Users should upgrade to the patched version. No workaround is known; the fix modifies the module to not create a PID file by default [2].