[2858] in bugtraq
Re: BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd)
daemon@ATHENA.MIT.EDU (Kai)
Sun Jun 30 18:44:25 1996
Date: Sun, 30 Jun 1996 17:19:04 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Kai <kai@nyiq.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Brian Tao wrote:
> On Sun, 30 Jun 1996, Dan Polivy wrote:
> >
> > Does /bin/bash exist on your system? Is the script setuid to
> > anything? (It should have either the user or group +s, i think) It
> > worked for me on my FreeBSD machines (2.1 and -stable)...
>
> Small glitch on my mistake... I had tried the script as originally
> presented to me, with #!/usr/bin/perl. Changing that to suidperl
> alters the results (I thought perl automatically fed a setuid script
> to suidperl).
>
> On a BSD/OS 2.0 system, running the script produces "Can't swap
> uid and euid.". The exploit works on my FreeBSD systems from 2.1R
> through to 2.2-960501-SNAP. 2.2-960612-SNAP appears to have already
> fixed the problem. I imagine the recent 2.1.5 snapshots are not
> vulnerable either, but I haven't had a chance to verify.
> --
execution on my system results in a 'Insecure PATH at ./blah line 3.' ,
no matter what program exec is calling in the exploit script.
Why is that ?
