Heads up all you IIS users :-) ....
----- Original Message ----- From: "Nsfocus Security Team" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 14, 2001 11:42 PM Subject: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability NSFOCUS Security Advisory(SA2001-07) Topic: ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability Release Date�� 2001-11-15 CVE CAN ID : CAN-2001-0815 BUGTRAQ ID : 3526 Affected system: ================ Activestate ActivePerl 5.6.1.629 and earlier versions - Microsoft IIS 4.0 - Microsoft IIS 5.0 Not affected system: ==================== Activestate ActivePerl 5.6.1.630 - Microsoft IIS 4.0 - Microsoft IIS 5.0 Impact: ========= NSFOCUS Security Team has found a exploited buffer overflow vulnerability in a dynamic link library (perlIS.dll) of ActivePerl when handling overlong filename. Exploit of it, an attacker could remotely execute arbitrary code. Description�� ============ ActivePerl is a binary package of perl for Linux, Solaris or Windows system developed by ActiveState. ActivePerl for windows has a dynamic link library, perlIS.dll, which is a ISAPI extension to provide high-performance perl interface for Microsoft IIS server. PerlIS.dl was discovered to handle perl script request sent by user without correct length check of the URL. In case that an attacker send an overlong URL request, PerlIS would call strcpy() and copy it to a stack buffer, which would trigger a buffer overflow. Attacker could overwrite some sensitive data in the stack like returned address. With well-crafted URL request, the attacker might be able to execute arbitrary code remotely. Exploiting this vulnerability successfully, an attack might access IWAM_machinename account in IIS 5.0 and Local SYSTEM privilege in IIS 4.0. Exploit: ========== $ lynx http://host/cgi-bin/`perl -e 'print "A" x 360'`.pl The remote procedure call failed. Workaround: =================== Edit "perlIS.dll" ISAPI extension in Internet Service Manager and check "Check that file exists" option. Vendor Status: ============== 2001.10.15 We reported this vulnerability to ActiveState. 2001.10.23 ActiveState informed that the vulnerability has been eliminated in build 630. Latest version of ActivePerl is available at http://www.activestate.com/Products/ActivePerl/download.plex Additional Information: ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0815 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <[EMAIL PROTECTED]> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) =========================Delivery co-sponsored by Trend Micro, Inc. =========================BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?siS&bi$5&ul=tp://www.a ntivirus.com/smex2000_rebate _______________________________________________ Perl-Win32-Web mailing list [EMAIL PROTECTED] http://listserv.ActiveState.com/mailman/listinfo/perl-win32-web
