[2870] in bugtraq
Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability
daemon@ATHENA.MIT.EDU (Henri Karrenbeld)
Mon Jul 1 21:17:28 1996
Date: Mon, 1 Jul 1996 21:50:45 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Henri Karrenbeld <H.Karrenbeld@ct.utwente.nl>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.960701145230.32691E-100000@mailhost.emap.co.uk>
from "martinh@mailhost.emap.co.uk" at Jul 1, 96 02:59:23 pm
Some time ago martinh@mailhost.emap.co.uk declared:
>
> On Sun, 30 Jun 1996, Michael Constant wrote:
>
> > > Exactly which versions of perl are susceptible to this? I tried
> > > it using /usr/contrib/bin/perl on a BSD/OS 2.0 system as well as
> > > /usr/bin/perl on FreeBSD 2.1/2.2 systems, and none gave a root shell.
> >
> > Any copy of perl which is setuid root (they're typically named "sperl*"
> > or "suidperl"). The exploit does work on my FreeBSD 2.1.0-RELEASE system.
>
> Breaks on Linux 1.3.20 here, using suidperl -U it dies with a SEGV, with
> juts perl it gives me a shell with normal permissions
>
> On 1.2.8 it _does_ work.
Well, I tested it on Linux 2.0.0 with perl5.001 (out-of-the-box Slackware 3.0
perl 5.001m) and it appears to be vulnerable, I only needed the original
version that was posted here (no -U and no suidperl needed, simply
#!/usr/bin/perl, it worked with suidperl -U too btw *shrug*).
Looks like your linux 1.3.20 has broken suidperl itself or that sperl was
not installed with the suid bit turned on. Could _also_ be that you changed
your script after chmod()-ed it with +s. Please note that changing the script
with e.g. vi and writing it back will turn OFF the suid bit! You need to
setuid it _AGAIN_ after changing the script! Don't be goaded into a false
sense of security by this sequence (this might be trivial but somehow I
get the impression not everyone reading this list is a security-crack-
unix-guru, actually I made the mistake myself the first time I checked it)
1) create the script
2) chmod 4700 script
3) ./script (hmm doesn't work)
4) vi script (change perl into suidperl -u)
5) ./script (hmm no root shell, hey I'm secure! uhuh, no way!)
Best is to _always_ check the permissions before running the script
$) Henri
