Bugtraq mailing list archives
Re: sperl 5.00503 (and newer ;) exploit
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Sat, 5 Aug 2000 19:19:36 +0200
On Sat, 5 Aug 2000, Michal Zalewski wrote:
Below you'll find brief description of vulnerability and exploit itself [..]
Ok, I decided to describe it with details. a) If you'll try to fool perl, forcing it to execute one file instead of another (quite complicated condition, refer to source code), it generates such mail to administrator: From: Bastard Operator <root () nimue tpi pl> To: root () nimue tpi pl User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183! (Filename of set-id script was /some/thing, uid 500 gid 500.) Sincerely, perl It is sent using /bin/mail root call with environment preserved. This condition is quite easy to reach - my code is extermely ugly and slow (it's written in bash), so it requires reasonably fast machine (like pII/pIII x86 box). It can be optimized, of course. b) In this mail, you'll find script name, taken from argv[1]. c) /bin/mail has undocumented feature; if interactive=something, it will interpret ~! sequence even if not running on the terminal; it is not safe to use /bin/mail at privledged level. Three things, combined, allows you to execute command using ~! passed in script name. This command creates suid shell. Voila, again. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Joey Hess (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Pixel (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Francis J. Lacoste (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Greg A. Woods (Aug 09)
- Re: sperl 5.00503 (and newer ;) exploit Thomas Roessler (Aug 10)
- Re: sperl 5.00503 (and newer ;) exploit H. Peter Anvin (Aug 11)
- Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- <Possible follow-ups>
- Re: sperl 5.00503 (and newer ;) exploit Paul Rogers (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Solar Designer (Aug 07)