[2847] in bugtraq
Re: BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd)
daemon@ATHENA.MIT.EDU (Brian Tao)
Sun Jun 30 13:52:46 1996
Date: Sun, 30 Jun 1996 12:14:10 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Brian Tao <taob@IO.ORG>
X-To: Dan Polivy <danp@carebase3.jri.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.BSF.3.91.960630115332.3753A-100000@carebase3.jri.org>
On Sun, 30 Jun 1996, Dan Polivy wrote:
>
> Does /bin/bash exist on your system? Is the script setuid to
> anything? (It should have either the user or group +s, i think) It
> worked for me on my FreeBSD machines (2.1 and -stable)...
Small glitch on my mistake... I had tried the script as originally
presented to me, with #!/usr/bin/perl. Changing that to suidperl
alters the results (I thought perl automatically fed a setuid script
to suidperl).
On a BSD/OS 2.0 system, running the script produces "Can't swap
uid and euid.". The exploit works on my FreeBSD systems from 2.1R
through to 2.2-960501-SNAP. 2.2-960612-SNAP appears to have already
fixed the problem. I imagine the recent 2.1.5 snapshots are not
vulnerable either, but I haven't had a chance to verify.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
