lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Buffer Overflow in ActivePerl ?

Dear mattmurphy@...rr.com,

Seems not to ve Active Perl specific:

Y:\>perl -e "$a="A" x 256; system($a)"
Exception: STATUS_ACCESS_VIOLATION at eip=610760D4
eax=41004141 ebx=00000000 ecx=0022F748 edx=0022F748 esi=0A052A18 edi=00000000
ebp=0022F730 esp=0022F5C8 program=y:\cygwin\bin\perl.exe
cs=001B ds=0023 es=0023 fs=0038 gs=0000 ss=0023
Stack trace:
Frame     Function  Args
0022F730  610760D4  (41004141, 41004141, 41414141, 00000000)
 118398 [main] perl 3984 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION
 136718 [main] perl 3984 handle_exceptions: Error while dumping state (probably corrupted stack)

Y:\>perl -v

This is perl, v5.6.1 built for cygwin-multi

Copyright 1987-2001, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'.  If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.

--Tuesday, May 18, 2004, 1:22:30 AM, you wrote to full-disclosure@...ts.netsys.com:

>>hi folks,
>>
>>i played around with ActiveState's ActivePerl for Win32, and crashed 
>>Perl.exe with the following command:
>>
>>perl -e "$a="A" x 256; system($a)"
>>
>>I wonder if this bug isnt known?!? Because system() is a very common 
>>command....
>>Can anybody reproduce this?

mkrc> I discovered this vulnerability independently several days ago, and had
mkrc> notified ActivePerl's team of several other potential code execution risks
mkrc> in their software.  In particular, an integer overflow bug also exists in
mkrc> the famous duplication operator:

mkrc> $var = "ABCD"x0x40000000;

mkrc> This buffer overflow is limited in terms of exploitation by two factors.
mkrc> One, Windows has no concept of privileged (setuid) code.  So, any
mkrc> exploitation would almost certainly have to be remote.  Second, the buffer
mkrc> overflow vulnerability occurs in a set of very limited circumstances.

mkrc> Specifically, ActivePerl does some cleanup on the first command item passed
mkrc> -- the filename.  If the file name has no extension, ActivePerl allocates a
mkrc> heap-based buffer to store the variable, to which it then concatenates
mkrc> '.exe' to.  For all intents and purposes, this limits exploitation to
mkrc> anyone able to execute a file of his/her choice via 'system' -- a dangerous
mkrc> practice anyway!

mkrc> --------------------------------------------------------------------
mkrc> mail2web - Check your email from the web at
mkrc> http://mail2web.com/ .


mkrc> _______________________________________________
mkrc> Full-Disclosure - We believe in it.
mkrc> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
?? ???? ???? ?????? ????? ?????? ? ?????? ????, ????? ? ????????. (???)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ