lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 May 2004 11:38:11 -0600
From: David Ahmad <da@...urityfocus.com>
To: David Cantrell <david@...trell.org.uk>, bugtraq@...urityfocus.com
Subject: Re: Buffer Overflow in ActivePerl ?


On Wed, May 19, 2004 at 10:00:15AM +0100, David Cantrell wrote:
> [CCed to activestate in case they were unaware of the discussion on
> bugtraq - activestate people, see the archives]
> 
> This isn't really a hole in perl itself, but in the particular build of
> perl compiled and shipped by one particular vendor.  I can not replicate
> this on OpenBSD, Debian Linux, or Solaris.  Nor can I replicate it using
> the version of perl supplied with Cygwin.

Right, just like any system-dependent (i.e. requiring syscalls) 
operation.

While the interface is the same, system() is going to be implemented
differently on different platforms.  Obviously so, since there is
no Windows fork() system call, no exec and no "/bin/sh".
It is up to the developers porting Perl to Win32 (ActiveState) to
implement this (and/or the more primitive operations it depends on)
such that the interface remains consistent.  It seems they have
an overflow somewhere in the native code that system() is built on,
either in the implementation of the function itself (if that is
how it was done) or in the platform-dependent implementation of 
"Create new process" and "Execute command-line" operations and 
whatever else at the system-level that system() depends on, if
system() itself was written in Perl.

> I'd be interested to hear if a similar bug exists in Activestate's build
> of perl for Linux and Solaris, which I didn't try.
> 
> In any case, if an attacker can inject his choice of data into a
> system() function, then all bets are off so this is not something that
> the users should worry too much about.

I disagree here.  I can see a scenario where externally supplied
data is included in a command-line string, except that it has 
been checked for shell metacharacters beforehand.  In that 
situation, the overflow may yet be exploitable while 
traditional system() "injection" attacks are not.

> -- 
> David Cantrell | Benevolent Dictator | http://www.cantrell.org.uk/david
> 
> <davorg> clowns are scary
> <gbjk>   I concur. It's their motivation that worries me.
>     -- in #london.pm

-- 
David Mirza Ahmad
Symantec 

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12


Powered by blists - more mailing lists