If you're one of those poor, poor programmers (like me) who are forced to use Active State Perl and ISAPI, you should be aware that the PerlIS.dll has a remote buffer overflow security hole. From the announcement:

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Nsfocus
Security Team
Sent: Wednesday, November 14, 2001 7:42 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer
Overflow Vulnerability


NSFOCUS Security Advisory(SA2001-07)

Topic:  ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability

Release Date: 2001-11-15

CVE CAN ID : CAN-2001-0815
BUGTRAQ ID : 3526

Affected system:
================

Activestate ActivePerl 5.6.1.629 and earlier versions
 - Microsoft IIS 4.0
 - Microsoft IIS 5.0

Not affected system:
====================

Activestate ActivePerl 5.6.1.630
 - Microsoft IIS 4.0
 - Microsoft IIS 5.0

Impact:
=========

NSFOCUS Security Team has found a exploited buffer overflow vulnerability 
in a dynamic link library (perlIS.dll) of ActivePerl when handling overlong 
filename. Exploit of it, an attacker could remotely execute arbitrary code.

Description:
============

ActivePerl is a binary package of perl for Linux, Solaris or Windows system 
developed by ActiveState. ActivePerl for windows has a dynamic link library, 
perlIS.dll, which is a ISAPI extension to provide high-performance perl 
interface for Microsoft IIS server.

PerlIS.dl was discovered to handle perl script request sent by user without
correct length check of the URL. In case that an attacker send an overlong 
URL request, PerlIS would call strcpy() and copy it to a stack buffer, which 
would trigger a buffer overflow. Attacker could overwrite some sensitive 
data in the stack like returned address. With well-crafted URL request, the 
attacker might be able to execute arbitrary code remotely. 

Exploiting this vulnerability successfully, an attack might access 
IWAM_machinename account in IIS 5.0 and Local SYSTEM privilege in IIS 4.0.


Exploit:
==========

$ lynx http://host/cgi-bin/`perl -e 'print "A" x 360'`.pl

The remote procedure call failed.

Workaround:
===================

Edit "perlIS.dll" ISAPI extension in Internet Service Manager and check 
"Check that file exists" option.


Vendor Status:
==============

2001.10.15  We reported this vulnerability to ActiveState.
2001.10.23  ActiveState informed that the vulnerability has been 
eliminated in build 630.

Latest version of ActivePerl is available at

http://www.activestate.com/Products/ActivePerl/download.plex


Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2001-0815 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardizes names for 
security problems.  Candidates may change significantly before they 
become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY 
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, 
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE 
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE 
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.