Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability

[H.Karrenbeld () ct utwente nl (Henri Karrenbeld)]

Some time ago martinh () mailhost emap co uk declared:
> On Sun, 30 Jun 1996, Michael Constant wrote:
>
> > >     Exactly which versions of perl are susceptible to this?  I tried
> > > it using /usr/contrib/bin/perl on a BSD/OS 2.0 system as well as
> > > /usr/bin/perl on FreeBSD 2.1/2.2 systems, and none gave a root shell.
> >
> > Any copy of perl which is setuid root (they're typically named "sperl*"
> > or "suidperl").  The exploit does work on my FreeBSD 2.1.0-RELEASE system.
>
> Breaks on Linux 1.3.20 here, using suidperl -U it dies with a SEGV, with
> juts perl it gives me a shell with normal permissions
>
> On 1.2.8 it _does_ work.

Well, I tested it on Linux 2.0.0 with perl5.001 (out-of-the-box Slackware 3.0
perl 5.001m) and it appears to be vulnerable, I only needed the original
version that was posted here (no -U and no suidperl needed, simply
#!/usr/bin/perl, it worked with suidperl -U too btw *shrug*).

Looks like your linux 1.3.20 has broken suidperl itself or that sperl was
not installed with the suid bit turned on. Could _also_ be that you changed
your script after chmod()-ed it with +s. Please note that changing the script
with e.g. vi and writing it back will turn OFF the suid bit! You need to
setuid it _AGAIN_ after changing the script! Don't be goaded into a false
sense of security by this sequence (this might be trivial but somehow I
get the impression not everyone reading this list is a security-crack-
unix-guru, actually I made the mistake myself the first time I checked it)

1) create the script
2) chmod 4700 script
3) ./script (hmm doesn't work)
4) vi script (change perl into suidperl -u)
5) ./script (hmm no root shell, hey I'm secure! uhuh, no way!)

Best is to _always_ check the permissions before running the script

$) Henri