[16169] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (Randal L. Schwartz)
Thu Aug 10 13:45:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <m13dkem8sa.fsf@halfdome.holdit.com>
Date: Wed, 9 Aug 2000 14:20:05 -0700
Reply-To: "Randal L. Schwartz" <merlyn@STONEHENGE.COM>
From: "Randal L. Schwartz" <merlyn@STONEHENGE.COM>
X-To: Simon Cozens <simon@brecon.co.uk>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Simon Cozens's message of "Tue, 8 Aug 2000 06:23:50 -0000"
>>>>> "Simon" == Simon Cozens <simon@OTHERSIDEOFTHE.EARTH.LI> writes:
Simon> You didn't say which version of Perl this was from, but versions prior
Simon> to 5.6.0 use csh for globbing. ("<*.foo>" and so on.)
Simon> I *believe* this was sanity checked for naughty input ("<*|rm
Simon> -rf />") etc. but I can't verify that right now because I
Simon> don't have <5.6.0 handy, but even if not, this would require
Simon> programmer insecurity, not Perl insecurity.
Simon> By which I mean, if you're writing
Simon> @foo = <*|rm -rf />;
Simon> in a setuid script, you get what's coming to you. If you're doing that
Simon> with *external input* in a suid root program, you deserve to be hung, drawn,
Simon> quartered and then really, really hurt.
No, it was not checked. Try this in any pre 5.6 Perl:
print <;echo guess who;date>;
You'll get something like
guess who
Wed Aug 9 14:17:13 PDT 2000
And this has been known since at least the time I was constructing
JAPHs circa 1990, because I used it for one of them:
Date: 28 Feb 90 01:32:25 GMT
From: merlyn@iwarp.intel.com (Randal Schwartz)
@a=<;echo Just another Perl hacker,>; print join(" ",@a);
And that's been replicated to CPAN mirrors all over the world, such
as <http://cpan.perl.org/misc/japh>.
If taint mode (command line -T, or setuid detected) was enabled, all
globbing was fatal, but I think that only went in around 5.004 (about
two years ago).
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
