RE: Buffer Overflow in ActivePerl ?

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

> hi folks,
>
> i played around with ActiveState's ActivePerl for Win32, and crashed 
> Perl.exe with the following command:
>
> perl -e "$a="A" x 256; system($a)"
>
> I wonder if this bug isnt known?!? Because system() is a very common 
> command....
> Can anybody reproduce this?

I discovered this vulnerability independently several days ago, and had
notified ActivePerl's team of several other potential code execution risks
in their software.  In particular, an integer overflow bug also exists in
the famous duplication operator:

$var = "ABCD"x0x40000000;

This buffer overflow is limited in terms of exploitation by two factors. 
One, Windows has no concept of privileged (setuid) code.  So, any
exploitation would almost certainly have to be remote.  Second, the buffer
overflow vulnerability occurs in a set of very limited circumstances.

Specifically, ActivePerl does some cleanup on the first command item passed
-- the filename.  If the file name has no extension, ActivePerl allocates a
heap-based buffer to store the variable, to which it then concatenates
'.exe' to.  For all intents and purposes, this limits exploitation to
anyone able to execute a file of his/her choice via 'system' -- a dangerous
practice anyway!

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html