[Orlando-pm] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow Vulnerability

Kevin P. Inscoe kevin at inscoe.org
Mon Apr 5 15:52:01 CDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -------- Original Message --------
> Subject: [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow Vulnerability
> Date: Mon, 5 Apr 2004 12:05:12 -0400
> From: idlabs-advisories at idefense.com
> Reply-To: customerservice at idefense.com
> To: <idlabs-advisories at idefense.com>
> 
> Perl win32_stat Function Buffer Overflow Vulnerability
> 
> iDEFENSE Security Advisory 04.05.04
> www.idefense.com/application/poi/display?id=93&type=vulnerabilities
> April 5, 2004
> 
> I. BACKGROUND
> 
> Perl is a popular programming language due to its text manipulation
> capabilities and rapid development cycle. It is open source, cross
> platform and used for mission critical projects in the public and
> private sector.
> 
> II. DESCRIPTION
> 
> Remote exploitation of a buffer overflow in the 'win32_stat' function of
> ActiveState's ActivePerl and Larry Wall's Perl could allow for the
> execution of arbitrary commands.
> 
> If the filename passed to the function ends with a backslash character,
> it is copied into a fixed length buffer. There is no check made on the
> length of the string before the copy, allowing an excessively long
> string to overwrite control information, allowing execution of arbitrary
> code.
> 
> The problem specifically exists within the win32 wrapper to the stat()
> routine and hence the Unix builds of Perl are not affected.
> 
> III. ANALYSIS
> 
> The 'win32_stat' function is a wrapper around the 'stat' function and
> the file test operators ('-r', '-w', '-e', '-d' etc) on Win32 based
> platforms.
> 
> If a web site contains a Perl script that uses any of these functions
> with user supplied pathnames, it may be possible to remotely execute
> commands.
> 
> IV. DETECTION
> 
> All versions of Perl for Win32 operating systems up to and including
> 5.8.3 are affected.
> 
> V. VENDOR RESPONSE
> 
> The fix will be incorporated into core Perl 5.8.4. Patches are currently
> available at the following locations:
> 
> Committed to the Perl 5.9.x development branch:
> 
>    http://public.activestate.com/cgi-bin/perlbrowse?patch=22466
> 
> Integrated into Perl 5.8.x maintenance branch as part of:
> 
>    http://public.activestate.com/cgi-bin/perlbrowse?patch=22552
> 
> VI. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CAN-2004-0377 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VII. DISCLOSURE TIMELINE
> 
> January 09, 2004     Vulnerability discovered by iDEFENSE
> February 25, 2004    Initial vendor contact
> February 26, 2004    iDEFENSE clients notified
> February 26, 2004    Vendor response
> April 05, 2004       Public disclosure
> 
> VIII. CREDIT
> 
> Greg MacManus (iDEFENSE Labs) is credited with this discovery.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> IX. LEGAL NOTICES
> 
> Copyright (c) 2004 iDEFENSE, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice at idefense.com for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


- -- 
Kevin P. Inscoe                       Amateur Radio Call Sign: KE3VIN
Deltona, FL 32738                         Position: 28.9002N 81.2419W
kevin [at] inscoe [dot] org            http://www.kevininscoe.com/sig
GPG Fingerprint:    488B B0EE 06EB 8CBA 888E 0E6E 3379 0D43 6128 8D53

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows XP)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQFAccbxM3kNQ2EojVMRAosJAKCEvg3nXxFaNDnynF6gU4k8X04XywCfThwE
82l0YVRu9Xgg/k3m/iCrg+I=
=Z9kz
-----END PGP SIGNATURE-----

More information about the Orlando-pm mailing list