[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040519173811.GZ12040@securityfocus.com>
Date: Wed, 19 May 2004 11:38:11 -0600
From: David Ahmad <da@...urityfocus.com>
To: David Cantrell <david@...trell.org.uk>, bugtraq@...urityfocus.com
Subject: Re: Buffer Overflow in ActivePerl ?
On Wed, May 19, 2004 at 10:00:15AM +0100, David Cantrell wrote:
> [CCed to activestate in case they were unaware of the discussion on
> bugtraq - activestate people, see the archives]
>
> This isn't really a hole in perl itself, but in the particular build of
> perl compiled and shipped by one particular vendor. I can not replicate
> this on OpenBSD, Debian Linux, or Solaris. Nor can I replicate it using
> the version of perl supplied with Cygwin.
Right, just like any system-dependent (i.e. requiring syscalls)
operation.
While the interface is the same, system() is going to be implemented
differently on different platforms. Obviously so, since there is
no Windows fork() system call, no exec and no "/bin/sh".
It is up to the developers porting Perl to Win32 (ActiveState) to
implement this (and/or the more primitive operations it depends on)
such that the interface remains consistent. It seems they have
an overflow somewhere in the native code that system() is built on,
either in the implementation of the function itself (if that is
how it was done) or in the platform-dependent implementation of
"Create new process" and "Execute command-line" operations and
whatever else at the system-level that system() depends on, if
system() itself was written in Perl.
> I'd be interested to hear if a similar bug exists in Activestate's build
> of perl for Linux and Solaris, which I didn't try.
>
> In any case, if an attacker can inject his choice of data into a
> system() function, then all bets are off so this is not something that
> the users should worry too much about.
I disagree here. I can see a scenario where externally supplied
data is included in a command-line string, except that it has
been checked for shell metacharacters beforehand. In that
situation, the overflow may yet be exploitable while
traditional system() "injection" attacks are not.
> --
> David Cantrell | Benevolent Dictator | http://www.cantrell.org.uk/david
>
> <davorg> clowns are scary
> <gbjk> I concur. It's their motivation that worries me.
> -- in #london.pm
--
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
Powered by blists - more mailing lists