From kevin at inscoe.org Mon Apr 5 15:52:01 2004 From: kevin at inscoe.org (Kevin P. Inscoe) Date: Mon Aug 2 21:34:01 2004 Subject: [Orlando-pm] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow Vulnerability Message-ID: <4071C6F1.5040909@inscoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -------- Original Message -------- > Subject: [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow Vulnerability > Date: Mon, 5 Apr 2004 12:05:12 -0400 > From: idlabs-advisories@idefense.com > Reply-To: customerservice@idefense.com > To: > > Perl win32_stat Function Buffer Overflow Vulnerability > > iDEFENSE Security Advisory 04.05.04 > www.idefense.com/application/poi/display?id=93&type=vulnerabilities > April 5, 2004 > > I. BACKGROUND > > Perl is a popular programming language due to its text manipulation > capabilities and rapid development cycle. It is open source, cross > platform and used for mission critical projects in the public and > private sector. > > II. DESCRIPTION > > Remote exploitation of a buffer overflow in the 'win32_stat' function of > ActiveState's ActivePerl and Larry Wall's Perl could allow for the > execution of arbitrary commands. > > If the filename passed to the function ends with a backslash character, > it is copied into a fixed length buffer. There is no check made on the > length of the string before the copy, allowing an excessively long > string to overwrite control information, allowing execution of arbitrary > code. > > The problem specifically exists within the win32 wrapper to the stat() > routine and hence the Unix builds of Perl are not affected. > > III. ANALYSIS > > The 'win32_stat' function is a wrapper around the 'stat' function and > the file test operators ('-r', '-w', '-e', '-d' etc) on Win32 based > platforms. > > If a web site contains a Perl script that uses any of these functions > with user supplied pathnames, it may be possible to remotely execute > commands. > > IV. DETECTION > > All versions of Perl for Win32 operating systems up to and including > 5.8.3 are affected. > > V. VENDOR RESPONSE > > The fix will be incorporated into core Perl 5.8.4. Patches are currently > available at the following locations: > > Committed to the Perl 5.9.x development branch: > > http://public.activestate.com/cgi-bin/perlbrowse?patch=22466 > > Integrated into Perl 5.8.x maintenance branch as part of: > > http://public.activestate.com/cgi-bin/perlbrowse?patch=22552 > > VI. CVE INFORMATION > > The Common Vulnerabilities and Exposures (CVE) project has assigned the > name CAN-2004-0377 to this issue. This is a candidate for inclusion in > the CVE list (http://cve.mitre.org), which standardizes names for > security problems. > > VII. DISCLOSURE TIMELINE > > January 09, 2004 Vulnerability discovered by iDEFENSE > February 25, 2004 Initial vendor contact > February 26, 2004 iDEFENSE clients notified > February 26, 2004 Vendor response > April 05, 2004 Public disclosure > > VIII. CREDIT > > Greg MacManus (iDEFENSE Labs) is credited with this discovery. > > Get paid for vulnerability research > http://www.idefense.com/poi/teams/vcp.jsp > > IX. LEGAL NOTICES > > Copyright (c) 2004 iDEFENSE, Inc. > > Permission is granted for the redistribution of this alert > electronically. It may not be edited in any way without the express > written consent of iDEFENSE. If you wish to reprint the whole or any > part of this alert in any other medium other than electronically, please > email customerservice@idefense.com for permission. > > Disclaimer: The information in the advisory is believed to be accurate > at the time of publishing based on currently available information. Use > of the information constitutes acceptance for use in an AS IS condition. > There are no warranties with regard to this information. Neither the > author nor the publisher accepts any liability for any direct, indirect, > or consequential loss or damage arising from use of, or reliance on, > this information. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html - -- Kevin P. Inscoe Amateur Radio Call Sign: KE3VIN Deltona, FL 32738 Position: 28.9002N 81.2419W kevin [at] inscoe [dot] org http://www.kevininscoe.com/sig GPG Fingerprint: 488B B0EE 06EB 8CBA 888E 0E6E 3379 0D43 6128 8D53 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows XP) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFAccbxM3kNQ2EojVMRAosJAKCEvg3nXxFaNDnynF6gU4k8X04XywCfThwE 82l0YVRu9Xgg/k3m/iCrg+I= =Z9kz -----END PGP SIGNATURE----- From chris at prather.org Mon Apr 12 13:31:38 2004 From: chris at prather.org (Chris Prather) Date: Mon Aug 2 21:34:01 2004 Subject: [Orlando-pm] Next Meeting Message-ID: <200404121431.38556.chris@prather.org> So while I wont be able to attend the next meeting, there should be some discussion as to when/where it will be. Any suggestions (seeing as half of April is already gone)? -Chris From chris at prather.org Mon Apr 12 13:31:38 2004 From: chris at prather.org (Chris Prather) Date: Mon Aug 2 21:34:01 2004 Subject: [Orlando-pm] Next Meeting Message-ID: <200404121431.38556.chris@prather.org> So while I wont be able to attend the next meeting, there should be some discussion as to when/where it will be. Any suggestions (seeing as half of April is already gone)? -Chris From perigrin at prather.org Fri Apr 16 10:23:45 2004 From: perigrin at prather.org (perigrin@prather.org) Date: Mon Aug 2 21:34:01 2004 Subject: [Orlando-pm] And now a word from our sponsers ... Message-ID: <200404161123.45448.> According to Dave Cross, Addison Wesley/Prentice Hall is offering a deal to User Group memebers who purchase books online through their website. The details are in a PDF file at http://www.pm.org/AW-UGcoupon.pdf, but basically there are discount codes that you enter into the order form on their site. (Dave Cross) The new Perl Medic is supposed to be very good. -Chris