OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (stevesecuresolutions.org)
Date: Thu Nov 15 2001 - 17:13:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NSFOCUS Security Advisory(SA2001-07)

    Topic: ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability

    Release Date: 2001-11-15

    CVE CAN ID : CAN-2001-0815
    BUGTRAQ ID : 3526

    Affected system:
    ================

    Activestate ActivePerl 5.6.1.629 and earlier versions
     - Microsoft IIS 4.0
     - Microsoft IIS 5.0

    Not affected system:
    ====================

    Activestate ActivePerl 5.6.1.630
     - Microsoft IIS 4.0
     - Microsoft IIS 5.0

    Impact:
    =========

    NSFOCUS Security Team has found a exploited buffer overflow
    vulnerability in
    a dynamic link library (perlIS.dll) of ActivePerl when handling overlong

    filename. Exploit of it, an attacker could remotely execute arbitrary
    code.

    Description:
    ============

    ActivePerl is a binary package of perl for Linux, Solaris or Windows
    system
    developed by ActiveState. ActivePerl for windows has a dynamic link
    library,
    perlIS.dll, which is a ISAPI extension to provide high-performance perl
    interface for Microsoft IIS server.

    PerlIS.dl was discovered to handle perl script request sent by user
    without
    correct length check of the URL. In case that an attacker send an
    overlong URL
    request, PerlIS would call strcpy() and copy it to a stack buffer, which
    would
    trigger a buffer overflow. Attacker could overwrite some sensitive data
    in the stack like returned address. With well-crafted URL request, the
    attacker might
    be able to execute arbitrary code remotely.

    Exploiting this vulnerability successfully, an attack might access
    IWAM_machinename account in IIS 5.0 and Local SYSTEM privilege in IIS 4.
    0.

    Exploit:
    ==========

    $ lynx http://host/cgi-bin/`perl -e 'print "A" x 360'`.pl

    The remote procedure call failed.

    Workaround:
    ===================

    Edit "perlIS.dll" ISAPI extension in Internet Service Manager and check
    "Check
    that file exists" option.

    Vendor Status:
    ==============

    2001.10.15 We reported this vulnerability to ActiveState. 2001.10.23
    ActiveState informed that the vulnerability has been eliminated in
                build 630.

    Latest version of ActivePerl is available at

    http://www.activestate.com/Products/ActivePerl/download.plex

    Additional Information:
    ========================

    The Common Vulnerabilities and Exposures (CVE) project has
    assigned the name CAN-2001-0815 to this issue. This is a
    candidate for inclusion in the CVE list (http://cve.mitre.org), which
    standardizes names for security problems. Candidates
    may change significantly before they become official CVE entries.

    DISCLAIMS:
    ==========
    THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
    OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR
    IMPLIED,
    EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
    BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
    INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
    EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
    ADVISORY IS NOT MODIFIED IN ANY WAY.

    Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.

    NSFOCUS Security Team <securitynsfocus.com>
    NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
    (http://www.nsfocus.com)