[16131] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (Paul Szabo)
Tue Aug 8 11:47:41 2000
Message-Id: <200008080923.TAA06530@milan.maths.usyd.edu.au>
Date: Tue, 8 Aug 2000 19:23:11 +1000
Reply-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
From: Paul Szabo <psz@MATHS.USYD.EDU.AU>
X-To: lcamtuf@dione.ids.pl
To: BUGTRAQ@SECURITYFOCUS.COM
(Elias: you may want to pass this on to the list, as it seems not all
readers were aware that the replacement string must be the same length.)
I wrote:
> There have been some source patches posted. But what if you are too lazy
> (or busy) to re-build perl (or the person who built it is on holidays)?
> Use a binary editor to patch the suidperl binary, something like:
>
> cd /usr/local/bin
> cp -i suidperl suidperl.ORIG
> perl -pe 's/mail root/NOmailZZZ/' < suidperl.ORIG > suidperl
> chmod 4711 suidperl
One reader wondered how can the replaced executable still work:
> Do you really think that this executable will do anything apart from
> just dumping core?
> $ cp /usr/bin/perl . ; perl -pi -e 's,root,r00th,' perl
> $ ./perl
> Segmentation fault (core dumped)
Note that the replacement string MUST be the same length. Sorry, I should
have mentioned that in my original message.
Another reader wondered about its effectiveness:
> ...and what if someone will create symlink NOmailZZZ -> /bin/mail?;>
Note that the full string in suidperl is '/bin/mail root', so my replaced
suidperl would attempt to invoke /bin/NOmailZZZ. If your attacker can
create a symlink in /bin then you are already toast, and he should not
bother messing around with suidperl.
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
