[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [Full-Disclosure] Buffer Overflow in ActivePerl ?
- To: mattmurphy@xxxxxxxxx
- Subject: Re[2]: [Full-Disclosure] Buffer Overflow in ActivePerl ?
- From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Tue, 18 May 2004 12:11:54 +0400
Dear mattmurphy@xxxxxxxxx,
Seems not to ve Active Perl specific:
Y:\>perl -e "$a="A" x 256; system($a)"
Exception: STATUS_ACCESS_VIOLATION at eip=610760D4
eax=41004141 ebx=00000000 ecx=0022F748 edx=0022F748 esi=0A052A18 edi=00000000
ebp=0022F730 esp=0022F5C8 program=y:\cygwin\bin\perl.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
Stack trace:
Frame Function Args
0022F730 610760D4 (41004141, 41004141, 41414141, 00000000)
118398 [main] perl 3984 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION
136718 [main] perl 3984 handle_exceptions: Error while dumping state (probably
corrupted stack)
Y:\>perl -v
This is perl, v5.6.1 built for cygwin-multi
Copyright 1987-2001, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'. If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.
--Tuesday, May 18, 2004, 1:22:30 AM, you wrote to
full-disclosure@xxxxxxxxxxxxxxxx:
>>hi folks,
>>
>>i played around with ActiveState's ActivePerl for Win32, and crashed
>>Perl.exe with the following command:
>>
>>perl -e "$a="A" x 256; system($a)"
>>
>>I wonder if this bug isnt known?!? Because system() is a very common
>>command....
>>Can anybody reproduce this?
mkrc> I discovered this vulnerability independently several days ago, and had
mkrc> notified ActivePerl's team of several other potential code execution risks
mkrc> in their software. In particular, an integer overflow bug also exists in
mkrc> the famous duplication operator:
mkrc> $var = "ABCD"x0x40000000;
mkrc> This buffer overflow is limited in terms of exploitation by two factors.
mkrc> One, Windows has no concept of privileged (setuid) code. So, any
mkrc> exploitation would almost certainly have to be remote. Second, the buffer
mkrc> overflow vulnerability occurs in a set of very limited circumstances.
mkrc> Specifically, ActivePerl does some cleanup on the first command item
passed
mkrc> -- the filename. If the file name has no extension, ActivePerl allocates
a
mkrc> heap-based buffer to store the variable, to which it then concatenates
mkrc> '.exe' to. For all intents and purposes, this limits exploitation to
mkrc> anyone able to execute a file of his/her choice via 'system' -- a
dangerous
mkrc> practice anyway!
mkrc> --------------------------------------------------------------------
mkrc> mail2web - Check your email from the web at
mkrc> http://mail2web.com/ .
mkrc> _______________________________________________
mkrc> Full-Disclosure - We believe in it.
mkrc> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
~/ZARAZA
Íî âåäü êîìó óãîäíî ìîãóò ïðèéòè â ãîëîâó ÿéöà, ïÿòêè è åïèñêîïû. (Ëåì)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html