[Orlando-pm] iDEFENSE Security Advisory 04.05.04: Perl win32_stat
Function Buffer Overflow Vulnerability
Kevin P. Inscoe
kevin at inscoe.org
Mon Apr 5 15:52:01 CDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -------- Original Message --------
> Subject: [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow Vulnerability
> Date: Mon, 5 Apr 2004 12:05:12 -0400
> From: idlabs-advisories at idefense.com
> Reply-To: customerservice at idefense.com
> To: <idlabs-advisories at idefense.com>
>
> Perl win32_stat Function Buffer Overflow Vulnerability
>
> iDEFENSE Security Advisory 04.05.04
> www.idefense.com/application/poi/display?id=93&type=vulnerabilities
> April 5, 2004
>
> I. BACKGROUND
>
> Perl is a popular programming language due to its text manipulation
> capabilities and rapid development cycle. It is open source, cross
> platform and used for mission critical projects in the public and
> private sector.
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow in the 'win32_stat' function of
> ActiveState's ActivePerl and Larry Wall's Perl could allow for the
> execution of arbitrary commands.
>
> If the filename passed to the function ends with a backslash character,
> it is copied into a fixed length buffer. There is no check made on the
> length of the string before the copy, allowing an excessively long
> string to overwrite control information, allowing execution of arbitrary
> code.
>
> The problem specifically exists within the win32 wrapper to the stat()
> routine and hence the Unix builds of Perl are not affected.
>
> III. ANALYSIS
>
> The 'win32_stat' function is a wrapper around the 'stat' function and
> the file test operators ('-r', '-w', '-e', '-d' etc) on Win32 based
> platforms.
>
> If a web site contains a Perl script that uses any of these functions
> with user supplied pathnames, it may be possible to remotely execute
> commands.
>
> IV. DETECTION
>
> All versions of Perl for Win32 operating systems up to and including
> 5.8.3 are affected.
>
> V. VENDOR RESPONSE
>
> The fix will be incorporated into core Perl 5.8.4. Patches are currently
> available at the following locations:
>
> Committed to the Perl 5.9.x development branch:
>
> http://public.activestate.com/cgi-bin/perlbrowse?patch=22466
>
> Integrated into Perl 5.8.x maintenance branch as part of:
>
> http://public.activestate.com/cgi-bin/perlbrowse?patch=22552
>
> VI. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CAN-2004-0377 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
>
> VII. DISCLOSURE TIMELINE
>
> January 09, 2004 Vulnerability discovered by iDEFENSE
> February 25, 2004 Initial vendor contact
> February 26, 2004 iDEFENSE clients notified
> February 26, 2004 Vendor response
> April 05, 2004 Public disclosure
>
> VIII. CREDIT
>
> Greg MacManus (iDEFENSE Labs) is credited with this discovery.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> IX. LEGAL NOTICES
>
> Copyright (c) 2004 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice at idefense.com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
- --
Kevin P. Inscoe Amateur Radio Call Sign: KE3VIN
Deltona, FL 32738 Position: 28.9002N 81.2419W
kevin [at] inscoe [dot] org http://www.kevininscoe.com/sig
GPG Fingerprint: 488B B0EE 06EB 8CBA 888E 0E6E 3379 0D43 6128 8D53
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows XP)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQFAccbxM3kNQ2EojVMRAosJAKCEvg3nXxFaNDnynF6gU4k8X04XywCfThwE
82l0YVRu9Xgg/k3m/iCrg+I=
=Z9kz
-----END PGP SIGNATURE-----
More information about the Orlando-pm
mailing list