[16152] in bugtraq
Re: (debian) Re: suidperl; more
daemon@ATHENA.MIT.EDU (Dunker, Noah)
Wed Aug 9 16:06:51 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Message-ID: <2143E5094A7BD21184AD00A024C9C66025A1ED@FNEX>
Date: Tue, 8 Aug 2000 15:45:18 -0500
Reply-To: "Dunker, Noah" <NDunker@FISHNETSECURITY.COM>
From: "Dunker, Noah" <NDunker@FISHNETSECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
BTW: FreeBSD 4.0 isn't vulnerable (for a few reasons):
The First is the same as Debian:
suidperl calls /bin/mail (it's hardcoded) and FreeBSD uses /usr/bin/mail
Also, there is no /bin/bash. If you install the bash package, it's
/usr/local/bin/bash
If I symlink /bin/mail --> /usr/bin/mail and modify the script so that
boomsh calls /bin/sh, this exploit does work with FreeBSD 4.0.
I've long since gotten rid of my FreeBSD 3.x and 2.x boxen, so I don't have
a good way to test old FreeBSD releases. I'll try OpenBSD 2.7 and NetBSD
1.4.2 when I get home. I'm guessing the recent releases of all *BSD are
probably not vulnerable due to the location of mail (and the fact that
/bin/bash doesn't exist, but any script kiddie can change the script to
/bin/sh).
Noah Dunker
Network Security Engineer
FishNet Security
816.421.6611
http://www.fishnetsecurity.com
-----Original Message-----
From: Alexander Oelzant [mailto:aoe@OEH.NET]
Sent: Tuesday, August 08, 2000 8:04 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: (debian) Re: suidperl; more
On Mon, Aug 07, 2000 at 06:07:57PM +0200, Sebastian wrote:
> So far, there are more security-releated apps which use /bin/mail
> for logging
Debian again proves to be highly security-aware: it does not even
have a /bin/mail and is thus safe from this very attack. Of course,
using /usr/bin/mail works fine, so any applications where /bin/mail
was not hardcoded would be affected.
hth
Alexander
--
Alexander Oelzant alexander@oelzant.priv.at
