[23267] in bugtraq
Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer
daemon@ATHENA.MIT.EDU (Indigo)
Tue Nov 27 16:00:59 2001
Date: 27 Nov 2001 05:23:18 -0000
Message-ID: <20011127052318.3974.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Indigo <indig0@talk21.com>
To: bugtraq@securityfocus.com
In-Reply-To: <20011123042207.11342.qmail@mail.securityfocus.com>
Having reinstalled Activestate PERL 5.6.1.629 and IIS
from scratch I agree that the default setings do not
allow you to exploit the overflow. You must
uncheck 'check file exists'. I have not checked any
earlier versions though.
In the instructions for installing the PerlIIS ISAPI
extension it suggests replacing the mappings for
both .pl and .plx with PerlIIS.dll.
If anyone wants to test 'jack.c' with .plx instead of .pl
all they need to do is change the last line of the
shellcode from:
"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31
\x2E\x30\x0D\x0A\x0D\x0A\x00";
to
"\x2E\x70\x6C\x78\x20\x48\x54\x54\x50\x2F\x31
\x2E\x30\x0D\x0A\x0D\x0A\x00";
Cheers,
Indigo.
>>From: Jim <raxor@dexlink.com>
>>Has anyone been able to duplicate this bug ?
>
>A *default* install of IIS5 (tested in w2k pro) with
>ActivePerl 5.6.1.629 is *not* vulnerable to this bug.
In
>order to become vulnerable, you must disable
>the "Check that file exists" option for PerlIS.dll. (In
>order to do this, open up the IIS MMC, right click on
a
>(virtual) directory in your web server,
>choose "Properties", click on the "Configuration..."
>button, highlight the ".plx" item, click "Edit", and then
>uncheck "Check that file exists".)
>
>>Am I wrong or does the ISAPI version of ActivePerl
>>execute .plx files and not .pl as mentioned in the
>>advisory ?
>
>On my test machine (win2k pro), by default perl.exe
>handles .pl and perlIS.dll handles .plx
>
>--
>^Drew
>
>http://guh.nu
>
>--Begin PGP Fingerprint--
>3C6C F712 0A52 BD33 C518 5798 9014 CA99
>2DA0 5E78
>--End PGP Fingerprint--
>
