[858] in linux-security and linux-alert archive
Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd)
daemon@ATHENA.MIT.EDU (Kevin Buhr)
Thu Jun 27 12:30:23 1996
Date: Thu, 27 Jun 96 10:34 CDT
From: Kevin Buhr <buhr@stat.wisc.edu>
To: jlewis@inorganic5.fdt.net
CC: linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
In-reply-to:
<Pine.LNX.3.91.960626155616.15516p-100000@inorganic5.chem.ufl.edu>
(message from Jon Lewis on Wed, 26 Jun 1996 16:10:24 -0400 (EDT))
Reply-to: buhr@stat.wisc.edu
-----BEGIN PGP SIGNED MESSAGE-----
(If you follow up, remember to drop the "linux-alert@..." address!)
| Has anyone verified yet whether this is a problem on Linux boxes across
| the world?
I've verified the Perl saved setuid bug (CERT Advisory CA-96.12) on a
Debian Linux 1.2.8 box running Perl 5.001. Most other configurations
would behave the same way. Witness:
% id
uid=6073(buhr) gid=6073(buhr) groups=6073(buhr)
% ls -lg
-rwxr-xr-x 1 buhr buhr 70 Jun 27 09:52 testvuln*
% ./testvuln
uid=6073(buhr) gid=6073(buhr) groups=6073(buhr)
% chmod 2755 testvuln
% ls -lg
-rwxr-sr-x 1 buhr buhr 70 Jun 27 09:52 testvuln*
% ./testvuln
uid=6073(buhr) gid=6073(buhr) euid=0(root) groups=6073(buhr)
Here, "testvuln" is a Perl script that sets its euid to 0, detaints
its path, and runs "id".
Somewhere in the middle of the 1.1.x kernel sequence, saved ids were
made to work correctly. Hence, all recent kernels (including all of
the 1.2.x, 1.3.x, and 2.0.x sequences) will "support" this
vulnerability. Moreover, the standard Linux configuration for the
Perl distribution compiles and installs this flawed setuid version, so
most Linux distributions will have the vulnerability.
THEREFORE, if you have a setuid root "suidperl" or "sperl" somewhere
on your Linux box's filetree, assume you are vulnerable!
Kevin <buhr@stat.wisc.edu>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4beta, an Emacs/PGP interface
iQBVAwUBMdKp8YmVIQW1OgXhAQFikgH9EN5+1NiCzSBz+W0q7phvmZ91247YTxOo
y0Hwjn2qG92yi9S2w+xCiRhpC1e4jWoVjFB4Oyv9/zo84/aytvrxyw==
=SA5N
-----END PGP SIGNATURE-----