Full Disclosure mailing list archives
Re[2]: Buffer Overflow in ActivePerl ?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 18 May 2004 12:11:54 +0400
Dear mattmurphy () kc rr com, Seems not to ve Active Perl specific: Y:\>perl -e "$a="A" x 256; system($a)" Exception: STATUS_ACCESS_VIOLATION at eip=610760D4 eax=41004141 ebx=00000000 ecx=0022F748 edx=0022F748 esi=0A052A18 edi=00000000 ebp=0022F730 esp=0022F5C8 program=y:\cygwin\bin\perl.exe cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023 Stack trace: Frame Function Args 0022F730 610760D4 (41004141, 41004141, 41414141, 00000000) 118398 [main] perl 3984 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION 136718 [main] perl 3984 handle_exceptions: Error while dumping state (probably corrupted stack) Y:\>perl -v This is perl, v5.6.1 built for cygwin-multi Copyright 1987-2001, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using `man perl' or `perldoc perl'. If you have access to the Internet, point your browser at http://www.perl.com/, the Perl Home Page. --Tuesday, May 18, 2004, 1:22:30 AM, you wrote to full-disclosure () lists netsys com:
hi folks, i played around with ActiveState's ActivePerl for Win32, and crashed Perl.exe with the following command: perl -e "$a="A" x 256; system($a)" I wonder if this bug isnt known?!? Because system() is a very common command.... Can anybody reproduce this?
mkrc> I discovered this vulnerability independently several days ago, and had mkrc> notified ActivePerl's team of several other potential code execution risks mkrc> in their software. In particular, an integer overflow bug also exists in mkrc> the famous duplication operator: mkrc> $var = "ABCD"x0x40000000; mkrc> This buffer overflow is limited in terms of exploitation by two factors. mkrc> One, Windows has no concept of privileged (setuid) code. So, any mkrc> exploitation would almost certainly have to be remote. Second, the buffer mkrc> overflow vulnerability occurs in a set of very limited circumstances. mkrc> Specifically, ActivePerl does some cleanup on the first command item passed mkrc> -- the filename. If the file name has no extension, ActivePerl allocates a mkrc> heap-based buffer to store the variable, to which it then concatenates mkrc> '.exe' to. For all intents and purposes, this limits exploitation to mkrc> anyone able to execute a file of his/her choice via 'system' -- a dangerous mkrc> practice anyway! mkrc> -------------------------------------------------------------------- mkrc> mail2web - Check your email from the web at mkrc> http://mail2web.com/ . mkrc> _______________________________________________ mkrc> Full-Disclosure - We believe in it. mkrc> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Íî âåäü êîìó óãîäíî ìîãóò ïðèéòè â ãîëîâó ÿéöà, ïÿòêè è åïèñêîïû. (Ëåì) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Buffer Overflow in ActivePerl ?, (continued)
- Re: Buffer Overflow in ActivePerl ? Frederic Krueger (May 18)
- ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? morning_wood (May 20)
- Re: ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? Clint Bodungen (May 20)
- ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? morning_wood (May 20)
- Re: Buffer Overflow in ActivePerl ? Nick FitzGerald (May 18)
- Re: Re: Buffer Overflow in ActivePerl ? npguy (May 18)
- Re: Re: Buffer Overflow in ActivePerl ? morning_wood (May 18)
- Re: Buffer Overflow in ActivePerl ? Curt Sampson (May 19)
- Re: Buffer Overflow in ActivePerl ? overlord_q (May 18)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 18)
- RE: Buffer Overflow in ActivePerl ? mattmurphy () kc rr com (May 17)
- Re[2]: Buffer Overflow in ActivePerl ? 3APA3A (May 18)
- RE: Re: Buffer Overflow in ActivePerl ? Petter O. Bruland (May 18)
- Re: Buffer Overflow in ActivePerl ? Frederic Krueger (May 18)