Bugtraq mailing list archives
Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability
From: jlewis () inorganic5 fdt net (Jon Lewis)
Date: Sun, 30 Jun 1996 14:08:52 -0400
On Sun, 30 Jun 1996, Andrew Liles wrote:
Exactly which versions of perl are susceptible to this? I tried it using /usr/contrib/bin/perl on a BSD/OS 2.0 system as well as /usr/bin/perl on FreeBSD 2.1/2.2 systems, and none gave a root shell.It seems to work on version 4 and 5 of suidperl. A regular non-suid perl does not have the vulnerability. So far, 3 machines that I have accounts on (all being linux boxes) have yielded root shells, but it seems that
I've tested perl 5.001 on Linux 1.2.x and IRIX 5.3 and gotten root. Accounts on Solaris 2.5, AIX and BSDI 2.0 systems were not testable as the Solaris and AIX ones had rm'd suidperl and the BSDI one had done a chmod 0000 suidperl...so I assume they were either vulnerable or just paranoid. I didn't bother testing my linux 1.3.x or 2.0.0 boxes, but assumed they were vulnerable and upgraded them all to 5.003. ------------------------------------------------------------------ Jon Lewis | Mime attachments are OK jlewis () inorganic5 fdt net | But please ask before sending http://inorganic5.fdt.net | unsolicited huge files. ________Finger jlewis () inorganic5 fdt net for PGP public key_______
Current thread:
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Jon Lewis (Jun 28)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Brian Tao (Jun 29)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Andrew Liles (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Jon Lewis (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Casper Dik (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Andrew Liles (Jun 30)
- Validating email sender Brendan McKenna (Jun 30)
- Re: Validating email sender Squidge (Jun 30)
- Re: Validating email sender Alan Brown (Jun 30)
- Re: Validating email sender Casper Dik (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Brian Tao (Jun 29)
- portmapper dangers der Mouse (Jun 30)
- Re: portmapper dangers Julian Assange (Jun 30)
- Re: portmapper dangers Casper Dik (Jun 30)
- <Possible follow-ups>
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability James Seng (Jun 30)