Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability
From: Indigo <indig0 () talk21 com>
Date: 27 Nov 2001 05:23:18 -0000


In-Reply-To: <20011123042207.11342.qmail () mail securityfocus com>

Having reinstalled Activestate PERL 5.6.1.629 and IIS 
from scratch I agree that the default setings do not 
allow you to exploit the overflow. You must 
uncheck 'check file exists'. I have not checked any 
earlier versions though.

In the instructions for installing the PerlIIS ISAPI 
extension it suggests replacing the mappings for 
both .pl and .plx with PerlIIS.dll.

If anyone wants to test 'jack.c' with .plx instead of .pl 
all they need to do is change the last line of the 
shellcode from:

"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31
\x2E\x30\x0D\x0A\x0D\x0A\x00";

 to

"\x2E\x70\x6C\x78\x20\x48\x54\x54\x50\x2F\x31
\x2E\x30\x0D\x0A\x0D\x0A\x00";

Cheers,

Indigo.

From: Jim <raxor () dexlink com>
Has anyone been able to duplicate this bug ? 

A *default* install of IIS5 (tested in w2k pro) with 
ActivePerl 5.6.1.629 is *not* vulnerable to this bug.  
In 
order to become vulnerable, you must disable 
the "Check that file exists" option for PerlIS.dll.  (In 
order to do this, open up the IIS MMC, right click on 
a 
(virtual) directory in your web server, 
choose "Properties", click on the "Configuration..." 
button, highlight the ".plx" item, click "Edit", and then 
uncheck "Check that file exists".)

Am I wrong or does the ISAPI version of ActivePerl 
execute .plx files and not .pl as mentioned in the 
advisory ? 

On my test machine (win2k pro), by default perl.exe 
handles .pl and perlIS.dll handles .plx

--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 
2DA0 5E78
--End PGP Fingerprint--



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault