CVE-2016-4748

Vulnerability

Perl on Apple OS X before 10.12 (macOS Sierra) contains a flaw in its taint-mode protection mechanism. A local user can bypass the taint check by providing a specially crafted environment variable, such as HTTP_PROXY, that is inherited by Perl scripts. The issue affects all versions of OS X prior to 10.12 [1].

Exploitation

An attacker must have local access to the system and the ability to set environment variables for a Perl process. By crafting the HTTP_PROXY environment variable with a value that Perl's taint mechanism fails to properly sanitize, the attacker can cause the script to operate with untainted data. No authentication beyond local user access is required [1].

Impact

Successful exploitation allows a local attacker to bypass Perl's taint-mode, which is designed to prevent unsafe operations on data from untrusted sources. This can lead to arbitrary code execution or other security-sensitive operations within the context of the Perl script, potentially elevating privileges or compromising system integrity. The vulnerability is classified as medium severity (CVSS 5.3) [1].

Mitigation

Apple addressed the issue in macOS Sierra 10.12, released on September 20, 2016. Users should update to macOS 10.12 or later. The fix prevents the HTTP_PROXY environment variable from being set from CGI scripts, reducing the attack surface. No workaround is documented; updating is the recommended mitigation [1].