[858] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd)

daemon@ATHENA.MIT.EDU (Kevin Buhr)
Thu Jun 27 12:30:23 1996

Date: Thu, 27 Jun 96 10:34 CDT
From: Kevin Buhr <buhr@stat.wisc.edu>
To: jlewis@inorganic5.fdt.net
CC: linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
In-reply-to: 
	<Pine.LNX.3.91.960626155616.15516p-100000@inorganic5.chem.ufl.edu>
	(message from Jon Lewis on Wed, 26 Jun 1996 16:10:24 -0400 (EDT))
Reply-to: buhr@stat.wisc.edu

-----BEGIN PGP SIGNED MESSAGE-----

(If you follow up, remember to drop the "linux-alert@..." address!)

| Has anyone verified yet whether this is a problem on Linux boxes across 
| the world?

I've verified the Perl saved setuid bug (CERT Advisory CA-96.12) on a
Debian Linux 1.2.8 box running Perl 5.001.  Most other configurations
would behave the same way.  Witness:

   % id
   uid=6073(buhr) gid=6073(buhr) groups=6073(buhr)
   % ls -lg
   -rwxr-xr-x   1 buhr     buhr           70 Jun 27 09:52 testvuln*
   % ./testvuln
   uid=6073(buhr) gid=6073(buhr) groups=6073(buhr)
   % chmod 2755 testvuln
   % ls -lg
   -rwxr-sr-x   1 buhr     buhr           70 Jun 27 09:52 testvuln*
   % ./testvuln
   uid=6073(buhr) gid=6073(buhr) euid=0(root) groups=6073(buhr)

Here, "testvuln" is a Perl script that sets its euid to 0, detaints
its path, and runs "id".

Somewhere in the middle of the 1.1.x kernel sequence, saved ids were
made to work correctly.  Hence, all recent kernels (including all of
the 1.2.x, 1.3.x, and 2.0.x sequences) will "support" this
vulnerability.  Moreover, the standard Linux configuration for the
Perl distribution compiles and installs this flawed setuid version, so
most Linux distributions will have the vulnerability.

THEREFORE, if you have a setuid root "suidperl" or "sperl" somewhere
on your Linux box's filetree, assume you are vulnerable!

Kevin <buhr@stat.wisc.edu>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4beta, an Emacs/PGP interface

iQBVAwUBMdKp8YmVIQW1OgXhAQFikgH9EN5+1NiCzSBz+W0q7phvmZ91247YTxOo
y0Hwjn2qG92yi9S2w+xCiRhpC1e4jWoVjFB4Oyv9/zo84/aytvrxyw==
=SA5N
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post