Some work needed

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

It's just another BQ cross-post, but I guess this is the right forum. I
attached sperl up to 5.06 (I mean, all current versions) exploit.
Unfortunately, it's poorly written - slow shell-script doing some
brute-forcing, probably working only on fast Linux / BSD boxes.

It gives root shell. What I ask you to do is spent some time to made it
more usable - faster, more accurate and portable. This exploit is "proof
of concept" tool, but C version will be simply better. So, anyone
interested?

Here's how it works (from BQ post, but I'm not sure if Aleph won't bounce
it):

-- snip! --

a) If you'll try to fool perl, forcing it to execute one file instead
   of another (quite complicated condition, refer to source code), it
   generates such mail to administrator:

    From: Bastard Operator <root () nimue tpi pl>
    To: root () nimue tpi pl

   User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183!
   (Filename of set-id script was /some/thing, uid 500 gid 500.)

   Sincerely,
   perl

   It is sent using /bin/mail root call with environment preserved.

   This condition is quite easy to reach - my code is extermely ugly and
   slow (it's written in bash), so it requires reasonably fast machine
   (like pII/pIII x86 box). It can be optimized, of course.

b) In this mail, you'll find script name, taken from argv[1].

c) /bin/mail has undocumented feature; if interactive=something, it will
   interpret ~! sequence even if not running on the terminal; it is not
   safe to use /bin/mail at privledged level.

Three things, combined, allows you to execute command using ~! passed in
script name. This command creates suid shell.

-- snip! --

You can find more comments in attached source.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

Attachment: xperl.sh
Description: