lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40AA1801.6000203@bigfoot.com>
From: igetspam at bigfoot.com (Frederic Krueger)
Subject: Re: Buffer Overflow in ActivePerl?

Hi..

Volker Tanger wrote:

>Your command line parameters for perl.exe are probably:
>	1.)	-e
>	2.)	"$a="
>	3.)	A
>	4.)	" x 256; system($a)"
>
>Thus are you sure you get $A set with 256 "A"s?
>  
>
In short: He doesn't.. Perl will just issue a syntax error ;)

Besides:
The info on the 
http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt makes me 
think it's more of a kernel32.dll bug than a perl bug, especially if you 
look at part of the dump (notice the stack position? ;)):

ChildEBP RetAddr  Args to Child              
0140fc08 77c2ab2e 00220000 00000000 0182adc8 ntdll!RtlFreeHeap+0x3a1
0140fc50 280834b3 0182adc8 ffffffff 00223c48 MSVCRT!free+0xc3
0140fd3c 2808aaa1 00000000 01828764 0182add4 perl58!Perl_my_socketpair+0xed8
0140fd64 2808a9d8 01828764 0182864c 00000002 perl58!Perl_do_spawn+0xd8
0140fd9c 2805d784 00226678 00224064 28024499 perl58!Perl_do_spawn+0xf
0140fe24 280862de 00224064 77f944a8 00000007 perl58!Perl_runops_standard+0xc
0140ff3c 00401012 00000003 00223c10 00222bc8 perl58!RunPerl+0x86
0140ffc0 77e814c7 77f944a8 00000007 7ffdf000 perl+0x1012
0140fff0 00000000 00401016 00000000 00000000 kernel32!GetCurrentDirectoryW+0x44

*----> Raw Stack Dump <----*
000000000140fb4c  88 3f 22 00 c8 ad 82 01 - 00 00 00 00 41 00 41 00  .?".........A.A.
000000000140fb5c  41 00 41 00 41 00 41 00 - 41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

...

But then I've never really used the Windows Debugger (or did any Windows 
Debugging at all for that matter)..
It just looks like kernel32 is having the hickup here..
And no, I'm not complaining that he isn't even stating the ActivePerl 
version that supposedly allowed passing the full string to the 
kernel32-getcurdir function..

Besides (as stated elsewhere here): It's not crashing on Win2K SP3 
german edition, ActivePerl 5.8.x [x=1..4] .

Bye,
Frederic


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ