lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com)
Subject: Buffer Overflow in ActivePerl ?

>hi folks,
>
>i played around with ActiveState's ActivePerl for Win32, and crashed 
>Perl.exe with the following command:
>
>perl -e "$a="A" x 256; system($a)"
>
>I wonder if this bug isnt known?!? Because system() is a very common 
>command....
>Can anybody reproduce this?

I discovered this vulnerability independently several days ago, and had
notified ActivePerl's team of several other potential code execution risks
in their software.  In particular, an integer overflow bug also exists in
the famous duplication operator:

$var = "ABCD"x0x40000000;

This buffer overflow is limited in terms of exploitation by two factors. 
One, Windows has no concept of privileged (setuid) code.  So, any
exploitation would almost certainly have to be remote.  Second, the buffer
overflow vulnerability occurs in a set of very limited circumstances.

Specifically, ActivePerl does some cleanup on the first command item passed
-- the filename.  If the file name has no extension, ActivePerl allocates a
heap-based buffer to store the variable, to which it then concatenates
'.exe' to.  For all intents and purposes, this limits exploitation to
anyone able to execute a file of his/her choice via 'system' -- a dangerous
practice anyway!

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



Powered by blists - more mailing lists