Full Disclosure mailing list archives
RE: Buffer Overflow in ActivePerl ?
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Mon, 17 May 2004 17:22:30 -0400
hi folks, i played around with ActiveState's ActivePerl for Win32, and crashed Perl.exe with the following command: perl -e "$a="A" x 256; system($a)" I wonder if this bug isnt known?!? Because system() is a very common command.... Can anybody reproduce this?
I discovered this vulnerability independently several days ago, and had notified ActivePerl's team of several other potential code execution risks in their software. In particular, an integer overflow bug also exists in the famous duplication operator: $var = "ABCD"x0x40000000; This buffer overflow is limited in terms of exploitation by two factors. One, Windows has no concept of privileged (setuid) code. So, any exploitation would almost certainly have to be remote. Second, the buffer overflow vulnerability occurs in a set of very limited circumstances. Specifically, ActivePerl does some cleanup on the first command item passed -- the filename. If the file name has no extension, ActivePerl allocates a heap-based buffer to store the variable, to which it then concatenates '.exe' to. For all intents and purposes, this limits exploitation to anyone able to execute a file of his/her choice via 'system' -- a dangerous practice anyway! -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Buffer Overflow in ActivePerl?, (continued)
- Re: Re: Buffer Overflow in ActivePerl? Frederic Krueger (May 18)
- Re: Buffer Overflow in ActivePerl ? Frederic Krueger (May 18)
- ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? morning_wood (May 20)
- Re: ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? Clint Bodungen (May 20)
- ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? morning_wood (May 20)
- Re: Buffer Overflow in ActivePerl ? Nick FitzGerald (May 18)
- Re: Re: Buffer Overflow in ActivePerl ? npguy (May 18)
- Re: Re: Buffer Overflow in ActivePerl ? morning_wood (May 18)
- Re: Buffer Overflow in ActivePerl ? Curt Sampson (May 19)
- Re: Buffer Overflow in ActivePerl ? overlord_q (May 18)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 18)
- RE: Buffer Overflow in ActivePerl ? mattmurphy () kc rr com (May 17)
- Re[2]: Buffer Overflow in ActivePerl ? 3APA3A (May 18)
- RE: Re: Buffer Overflow in ActivePerl ? Petter O. Bruland (May 18)