Vulnerabilities > CVE-2001-0815 - Buffer Overflow vulnerability in Activeperl 5.6.1/5.6.1.629

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
activestate
nessus
exploit available

Summary

Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to execute arbitrary code via an HTTP request for a long filename that ends in a .pl extension.

Vulnerable Configurations

Part Description Count
Application
Activestate
3

Exploit-Db

  • descriptionActivePerl 5.6.1 perlIIS.dll Buffer Overflow Vulnerability (3). CVE-2001-0815. Remote exploits for multiple platform
    idEDB-ID:21154
    last seen2016-02-02
    modified2001-11-15
    published2001-11-15
    reporterSapient2003
    sourcehttps://www.exploit-db.com/download/21154/
    titleActivePerl 5.6.1 perlIIS.dll Buffer Overflow Vulnerability 3
  • descriptionActivePerl 5.6.1 perlIIS.dll Buffer Overflow Vulnerability (2). CVE-2001-0815. Remote exploit for windows platform
    idEDB-ID:21153
    last seen2016-02-02
    modified2001-11-15
    published2001-11-15
    reporterIndigo
    sourcehttps://www.exploit-db.com/download/21153/
    titleActivePerl 5.6.1 perlIIS.dll Buffer Overflow Vulnerability 2
  • descriptionActivePerl 5.6.1 perlIIS.dll Buffer Overflow Vulnerability (1). CVE-2001-0815. Remote exploit for linux platform
    idEDB-ID:21152
    last seen2016-02-02
    modified2001-11-15
    published2001-11-15
    reporterIndigo
    sourcehttps://www.exploit-db.com/download/21152/
    titleActivePerl 5.6.1 perlIIS.dll Buffer Overflow Vulnerability 1

Nessus

NASL familyCGI abuses
NASL idPERLIS_DLL_BUFFEROVERFLOW.NASL
descriptionAn attacker can run arbitrary code on the remote computer. This is because the remote IIS server is running a version of ActivePerl prior to 5.6.1.630 and has the Check that file exists option disabled for the perlIS.dll.
last seen2020-06-01
modified2020-06-02
plugin id10811
published2001-11-26
reporterThis script is Copyright (C) 2001-2018 H D Moore & Drew Hintz ( http://guh.nu )
sourcehttps://www.tenable.com/plugins/nessus/10811
titleActivePerl perlIS.dll Remote Buffer Overflow
code
#
# This script was written by Drew Hintz ( http://guh.nu )
# 
# It is based on scripts written by Renaud Deraison and  HD Moore
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title (12/28/10)

include("compat.inc");

if(description)
{
 script_id(10811);
 script_version ("1.26");
 script_name(english:"ActivePerl perlIS.dll Remote Buffer Overflow");
 script_cve_id("CVE-2001-0815");
 script_bugtraq_id(3526);
 
 script_set_attribute(attribute:"synopsis", value:
"It may be possible to execute arbitrary code on the remote
system." );
 script_set_attribute(attribute:"description", value:
"An attacker can run arbitrary code on the remote computer.
This is because the remote IIS server is running a version of
ActivePerl prior to 5.6.1.630 and has the Check that file
exists option disabled for the perlIS.dll." );
 script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/3659" );
 script_set_attribute(attribute:"solution", value:
"Either upgrade to a version of ActivePerl more
recent than 5.6.1.629 or enable the Check that file exists option.
To enable this option, open up the IIS MMC, right click on a (virtual)
directory in your web server, choose Properties, 
click on the Configuration... button, highlight the .plx item,
click Edit, and then check Check that file exists.

More Information: http://www.securityfocus.com/bid/3526" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2001/11/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/11/15");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Determines if arbitrary commands can be executed thanks to ActivePerl's perlIS.dll");
 script_category(ACT_DESTRUCTIVE_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2001-2020 H D Moore & Drew Hintz ( http://guh.nu )");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);
sig = get_kb_item("www/hmap/" + port + "/description");
if ( sig && "IIS" >!< sig ) exit(0);

function check(req)
{
 local_var r;

 req = http_get(item:req, port:port);
 r = http_keepalive_send_recv(port:port, data:req);
 if(r == NULL)exit(0);

 if ("HTTP/1.1 500 Server Error" >< r &&
     ("The remote procedure call failed." >< r ||
      "<html><head><title>Error</title>" >< r))
 {
   security_hole(port:port);
   return(1);
 }
 return(0);
}

dir[0] = "/scripts/";
dir[1] = "/cgi-bin/";
dir[2] = "/";

for(d = 0; dir[d]; d = d + 1)
{
	url = string(dir[d], crap(660), ".plx"); #by default perlIS.dll handles .plx
	if(check(req:url))exit(0);

	url = string(dir[d], crap(660), ".pl");
	if(check(req:url))exit(0);
}