[Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow Vulnerability

idlabs-advisories_at_idefense.com
Date: 04/05/04

  • Next message: Shaun Colley: "Texutil symlink vulnerability."
    To: <idlabs-advisories@idefense.com>
    Date: Mon, 5 Apr 2004 12:05:12 -0400
    
    

    Perl win32_stat Function Buffer Overflow Vulnerability

    iDEFENSE Security Advisory 04.05.04
    www.idefense.com/application/poi/display?id=93&type=vulnerabilities
    April 5, 2004

    I. BACKGROUND

    Perl is a popular programming language due to its text manipulation
    capabilities and rapid development cycle. It is open source, cross
    platform and used for mission critical projects in the public and
    private sector.

    II. DESCRIPTION

    Remote exploitation of a buffer overflow in the 'win32_stat' function of
    ActiveState's ActivePerl and Larry Wall's Perl could allow for the
    execution of arbitrary commands.

    If the filename passed to the function ends with a backslash character,
    it is copied into a fixed length buffer. There is no check made on the
    length of the string before the copy, allowing an excessively long
    string to overwrite control information, allowing execution of arbitrary
    code.

    The problem specifically exists within the win32 wrapper to the stat()
    routine and hence the Unix builds of Perl are not affected.

    III. ANALYSIS

    The 'win32_stat' function is a wrapper around the 'stat' function and
    the file test operators ('-r', '-w', '-e', '-d' etc) on Win32 based
    platforms.

    If a web site contains a Perl script that uses any of these functions
    with user supplied pathnames, it may be possible to remotely execute
    commands.

    IV. DETECTION

    All versions of Perl for Win32 operating systems up to and including
    5.8.3 are affected.

    V. VENDOR RESPONSE

    The fix will be incorporated into core Perl 5.8.4. Patches are currently
    available at the following locations:

    Committed to the Perl 5.9.x development branch:

       http://public.activestate.com/cgi-bin/perlbrowse?patch=22466

    Integrated into Perl 5.8.x maintenance branch as part of:

       http://public.activestate.com/cgi-bin/perlbrowse?patch=22552

    VI. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2004-0377 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VII. DISCLOSURE TIMELINE

    January 09, 2004 Vulnerability discovered by iDEFENSE
    February 25, 2004 Initial vendor contact
    February 26, 2004 iDEFENSE clients notified
    February 26, 2004 Vendor response
    April 05, 2004 Public disclosure

    VIII. CREDIT

    Greg MacManus (iDEFENSE Labs) is credited with this discovery.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    IX. LEGAL NOTICES

    Copyright (c) 2004 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Shaun Colley: "Texutil symlink vulnerability."

    Relevant Pages