[16111] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (Simon Cozens)
Mon Aug 7 13:38:36 2000
Message-Id: <20000807093409.31417.qmail@othersideofthe.earth.li>
Date: Mon, 7 Aug 2000 09:34:09 -0000
Reply-To: Simon Cozens <simon@brecon.co.uk>
From: Simon Cozens <simon@OTHERSIDEOFTHE.EARTH.LI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lists.security/Pine.LNX.4.21.0008051825300.26685-101000@dione.ids.pl>
Michal Zalewski (lists.security):
>Requires: +s perl; bash, gcc, make, usleep (yup, usleep; it's not
>available on every system, but I have no time to rewrite everything in C;
>you can grab this code from RedHat distro or so) will be good... Don't
>mail me if you can't use it - it works.
Michal reported this to the perl5-porters last night, and I mailed him back
after a few minutes with a fix. (+10 points for contacting vendors in advance
of contacting Bugtraq, -5 points for not pointing out a fix is available. :)
That fix, which just crudely dykes out the /bin/mail code is available at
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00347.html
or, if you're desperate, here:
--- perl.c~ Sun Aug 6 22:08:32 2000
+++ perl.c Sun Aug 6 22:10:13 2000
@@ -2851,6 +2851,7 @@
if (tmpstatbuf.st_dev != PL_statbuf.st_dev ||
tmpstatbuf.st_ino != PL_statbuf.st_ino) {
(void)PerlIO_close(PL_rsfp);
+#ifdef DISGUSTINGLY_INSECURE
if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) { /* heh, heh */
PerlIO_printf(PL_rsfp,
"User %"Uid_t_f" tried to run dev %ld ino %ld in place of dev %ld ino %ld!\n\
@@ -2860,7 +2861,8 @@
CopFILE(PL_curcop),
PL_statbuf.st_uid, PL_statbuf.st_gid);
(void)PerlProc_pclose(PL_rsfp);
- }
+ }
+#endif
Perl_croak(aTHX_ "Permission denied\n");
}
if (
Allow for a bit of fuzz if you're patching pre-5.6.0, and have a nice
day.
--
If I ever manage to lose the weight I put on in 18 months of be $PHB and
having no life, I am *really* going to have to go shopping for some
PVC. - Skud, the other place.
