[NT] Perl win32_stat Function Buffer Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 04/07/04
- Previous message: SecuriTeam: "[TOOL] WinBlox - Windows I/O Monitor (Full Source Code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Apr 2004 11:02:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Perl win32_stat Function Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Perl is "a popular programming language due to its text manipulation
capabilities and rapid development cycle. It is open source, cross
platform and used for mission critical projects in the public and private
sector". Remote exploitation of a buffer overflow in the 'win32_stat'
function of ActiveState's ActivePerl and Larry Wall's Perl could allow for
the execution of arbitrary commands.
DETAILS
Vulnerable Systems:
* All versions of Perl for Win32 operating systems up to and including
5.8.3
Immune Systems:
* All versions of Perl for Win32 operating systems from 5.8.4 and up
If the filename passed to the function ends with a backslash character, it
is copied into a fixed length buffer. There is no check made on the length
of the string before the copy, allowing an excessively long string to
overwrite control information, allowing execution of arbitrary code.
The problem specifically exists within the win32 wrapper to the stat()
routine and hence the Unix builds of Perl are not affected.
Analysis:
The 'win32_stat' function is a wrapper around the 'stat' function and the
file test operators ('-r', '-w', '-e', '-d' etc) on Win32 based platforms.
If a web site contains a Perl script that uses any of these functions with
user supplied pathnames, it may be possible to remotely execute commands.
Solution:
The fix will be incorporated into core Perl 5.8.4. Patches are currently
available at the following locations:
Committed to the Perl 5.9.x development branch:
<http://public.activestate.com/cgi-bin/perlbrowse?patch=22466>
http://public.activestate.com/cgi-bin/perlbrowse?patch=22466.
Integrated into Perl 5.8.x maintenance branch as part of:
<http://public.activestate.com/cgi-bin/perlbrowse?patch=22552>
http://public.activestate.com/cgi-bin/perlbrowse?patch=22552.
Disclosure Timeline:
January 09, 2004 - Vulnerability discovered by iDEFENSE
February 25, 2004 - Initial vendor contact
February 26, 2004 - iDEFENSE clients notified
February 26, 2004 - Vendor response
April 05, 2004 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by Greg MacManus (iDEFENSE Labs).
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities&flashstatus=false> http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities&flashstatus=false.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] WinBlox - Windows I/O Monitor (Full Source Code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
