Bugtraq mailing list archives
Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability
From: H.Karrenbeld () ct utwente nl (Henri Karrenbeld)
Date: Mon, 1 Jul 1996 21:50:45 +0200
Some time ago martinh () mailhost emap co uk declared:
On Sun, 30 Jun 1996, Michael Constant wrote:Exactly which versions of perl are susceptible to this? I tried it using /usr/contrib/bin/perl on a BSD/OS 2.0 system as well as /usr/bin/perl on FreeBSD 2.1/2.2 systems, and none gave a root shell.Any copy of perl which is setuid root (they're typically named "sperl*" or "suidperl"). The exploit does work on my FreeBSD 2.1.0-RELEASE system.Breaks on Linux 1.3.20 here, using suidperl -U it dies with a SEGV, with juts perl it gives me a shell with normal permissions On 1.2.8 it _does_ work.
Well, I tested it on Linux 2.0.0 with perl5.001 (out-of-the-box Slackware 3.0 perl 5.001m) and it appears to be vulnerable, I only needed the original version that was posted here (no -U and no suidperl needed, simply #!/usr/bin/perl, it worked with suidperl -U too btw *shrug*). Looks like your linux 1.3.20 has broken suidperl itself or that sperl was not installed with the suid bit turned on. Could _also_ be that you changed your script after chmod()-ed it with +s. Please note that changing the script with e.g. vi and writing it back will turn OFF the suid bit! You need to setuid it _AGAIN_ after changing the script! Don't be goaded into a false sense of security by this sequence (this might be trivial but somehow I get the impression not everyone reading this list is a security-crack- unix-guru, actually I made the mistake myself the first time I checked it) 1) create the script 2) chmod 4700 script 3) ./script (hmm doesn't work) 4) vi script (change perl into suidperl -u) 5) ./script (hmm no root shell, hey I'm secure! uhuh, no way!) Best is to _always_ check the permissions before running the script $) Henri
Current thread:
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability DANIEL .D .EZEKIEL (Jun 30)
- <Possible follow-ups>
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Patrick (Jul 01)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability martinh () MAILHOST EMAP CO UK (Jul 01)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Henri Karrenbeld (Jul 01)