Re[2]: Buffer Overflow in ActivePerl ?

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear mattmurphy () kc rr com,

Seems not to ve Active Perl specific:

Y:\>perl -e "$a="A" x 256; system($a)"
Exception: STATUS_ACCESS_VIOLATION at eip=610760D4
eax=41004141 ebx=00000000 ecx=0022F748 edx=0022F748 esi=0A052A18 edi=00000000
ebp=0022F730 esp=0022F5C8 program=y:\cygwin\bin\perl.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
Stack trace:
Frame     Function  Args
0022F730  610760D4  (41004141, 41004141, 41414141, 00000000)
 118398 [main] perl 3984 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION
 136718 [main] perl 3984 handle_exceptions: Error while dumping state (probably corrupted stack)

Y:\>perl -v

This is perl, v5.6.1 built for cygwin-multi

Copyright 1987-2001, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'.  If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.

--Tuesday, May 18, 2004, 1:22:30 AM, you wrote to full-disclosure () lists netsys com:

> > hi folks,
> >
> > i played around with ActiveState's ActivePerl for Win32, and crashed 
> > Perl.exe with the following command:
> >
> > perl -e "$a="A" x 256; system($a)"
> >
> > I wonder if this bug isnt known?!? Because system() is a very common 
> > command....
> > Can anybody reproduce this?

mkrc> I discovered this vulnerability independently several days ago, and had
mkrc> notified ActivePerl's team of several other potential code execution risks
mkrc> in their software.  In particular, an integer overflow bug also exists in
mkrc> the famous duplication operator:

mkrc> $var = "ABCD"x0x40000000;

mkrc> This buffer overflow is limited in terms of exploitation by two factors.
mkrc> One, Windows has no concept of privileged (setuid) code.  So, any
mkrc> exploitation would almost certainly have to be remote.  Second, the buffer
mkrc> overflow vulnerability occurs in a set of very limited circumstances.

mkrc> Specifically, ActivePerl does some cleanup on the first command item passed
mkrc> -- the filename.  If the file name has no extension, ActivePerl allocates a
mkrc> heap-based buffer to store the variable, to which it then concatenates
mkrc> '.exe' to.  For all intents and purposes, this limits exploitation to
mkrc> anyone able to execute a file of his/her choice via 'system' -- a dangerous
mkrc> practice anyway!

mkrc> --------------------------------------------------------------------
mkrc> mail2web - Check your email from the web at
mkrc> http://mail2web.com/ .


mkrc> _______________________________________________
mkrc> Full-Disclosure - We believe in it.
mkrc> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
Íî âåäü êîìó óãîäíî ìîãóò ïðèéòè â ãîëîâó ÿéöà, ïÿòêè è åïèñêîïû. (Ëåì)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html