Bugtraq mailing list archives
Re: Buffer overflow in sperl5.003
From: jlewis () inorganic5 fdt net (Jon Lewis)
Date: Sat, 19 Apr 1997 05:50:58 -0400
On Fri, 18 Apr 1997, David Luyer wrote:
On Thu, 17 Apr 1997, Murphy wrote:Attached is the source for the exploit. Since it requires some work to be done to the compiled exploit (Stripping of 5 byte at the begining and end of the binary), the precompiled Linux x86 exploit can be found at http://www.ecst.csuchico.edu/~jtmurphy/localusers.html.Note that the exploit tries offsets of 1170 to 1240. Debian Linux with sperl5.00307 requires a value of 1169 (and is vulnerable).
I really like to use suidperl (too lazy to use C most of the time) so it's really been bugging me that nobody has posted a fix other than chmod a-s. I spent quite a while trying to figure out what the heck was going on in the perl source, and after many failed attempts to stop this problem, it hit me. It appears the tryall.sperl script just runs sperl with an obnoxiously long argv[1] that happens to have some code tacked onto the end. I couldn't figure out where exactly the buffer overrun was in perl but I figured having really long args to perl is unlikely...so why not limit them to 1024 chars each? --- miniperlmain.c.orig Sat Apr 19 03:18:29 1997 +++ miniperlmain.c Sat Apr 19 05:40:10 1997 @@ -30,6 +30,15 @@ #endif { int exitstatus; +/* begin hacking */ + if (geteuid() != getuid() || getegid() != getgid()) { + int i; + for (i=0;i<argc;i++) { + if (strlen(argv[i]) > 1024) + exit(69); + } + } +/* end hacking */ PERL_SYS_INIT(&argc,&argv); The only uses for huge argv[1] I can think of is passing a "program" to perl and suidperl doesn't allow that anyway. This patch is really untested except that it does cause tryall.sperl and tryall.generic to fail. I don't know for sure that it "fixes" the problem, but it should at least keep the casual hacker at bay. It could very well break some stuff...but why would you want to feed that much to perl on the commandline? ------------------------------------------------------------------ Jon Lewis <jlewis () fdt net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/hr. ________Finger jlewis () inorganic5 fdt net for PGP public key_______
Current thread:
- Sendmail Vulnerability. Alan Brown (Apr 14)
- TcpWrappers and Sendmail Neil Harkins (Apr 15)
- Handy change I made in ltread.c Nathan D. Faber (Apr 15)
- NIS+ and signed directory objects Sun Security Coordination (Apr 15)
- Update on PHP/FI hole Shamanski (Apr 16)
- Buffer overflow in sperl5.003 Murphy (Apr 17)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- Re: Buffer overflow in sperl5.003 Jon Lewis (Apr 19)
- [NTSEC] ALERT - NT security flaw announcement Aleph One (Apr 18)
- Beta testers wanted for new security tool! Alfred Huger (Apr 18)
- IRIX 6.x /cgi-bin/wrap bug J.A. Gutierrez (Apr 19)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- PHP/FI command line buffer overflow David Sacerdote (Apr 17)
- Sun Security Bulletin #00138 Aleph One (Apr 17)