| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com) Subject: Buffer Overflow in ActivePerl ? >hi folks, > >i played around with ActiveState's ActivePerl for Win32, and crashed >Perl.exe with the following command: > >perl -e "$a="A" x 256; system($a)" > >I wonder if this bug isnt known?!? Because system() is a very common >command.... >Can anybody reproduce this? I discovered this vulnerability independently several days ago, and had notified ActivePerl's team of several other potential code execution risks in their software. In particular, an integer overflow bug also exists in the famous duplication operator: $var = "ABCD"x0x40000000; This buffer overflow is limited in terms of exploitation by two factors. One, Windows has no concept of privileged (setuid) code. So, any exploitation would almost certainly have to be remote. Second, the buffer overflow vulnerability occurs in a set of very limited circumstances. Specifically, ActivePerl does some cleanup on the first command item passed -- the filename. If the file name has no extension, ActivePerl allocates a heap-based buffer to store the variable, to which it then concatenates '.exe' to. For all intents and purposes, this limits exploitation to anyone able to execute a file of his/her choice via 'system' -- a dangerous practice anyway! -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
Powered by blists - more mailing lists