Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
2.02k stars 560 forks source link

[Michal Zalewski <lcamtuf@DIONE.IDS.PL>] Re: sperl 5.00503 (and newer ;) exploit #2326

Closed p5pRT closed 21 years ago

p5pRT commented 24 years ago

Migrated from rt.perl.org#3650 (status was 'resolved')

Searchable as RT3650$

p5pRT commented 24 years ago

From @RandalSchwartz

Ooops.

p5pRT commented 24 years ago

From @RandalSchwartz

Message RFC822: X-From-Line: owner-bugtraq@SECURITYFOCUS.COM Mon Aug 7 02:07:45 2000 Envelope-to: merlyn@STONEHENGE.COM Return-Path: owner-bugtraq@SECURITYFOCUS.COM Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by halfdome.holdit.com (8.9.1/8.9.1) with ESMTP id CAA08929 for merlyn@STONEHENGE.COM; Mon, 7 Aug 2000 02:07:44 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id EFF3A1F5DF; Sun, 6 Aug 2000 23:56:05 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 11324018 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Sun, 6 Aug 2000 23:54:54 -0700 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id A94701EF4B for bugtraq@lists.securityfocus.com; Sat, 5 Aug 2000 10:16:46 -0700 (PDT) Received: (qmail 22728 invoked by alias); 5 Aug 2000 17:17:31 -0000 Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Received: (qmail 22725 invoked from network); 5 Aug 2000 17:17:30 -0000 Received: from dione.ids.pl (195.117.3.59) by mail.securityfocus.com with SMTP; 5 Aug 2000 17:17:30 -0000 Received: from dione (lcamtuf@dione [195.117.3.59]) by dione.ids.pl (rel8+srv+hdrfix+nosuid/cfg8+smrsh+nosuid+rdfix) with ESMTP id TAA07287 for BUGTRAQ@SECURITYFOCUS.COM; Sat, 5 Aug 2000 19:19:47 +0200 X-Hate: Where do you want to go to die? Message-ID: Pine.LNX.4.21.0008051913570.26685-100000@dione.ids.pl Date: Sat, 5 Aug 2000 19:19:36 +0200 Reply-To: Michal Zalewski lcamtuf@DIONE.IDS.PL Sender: Bugtraq List BUGTRAQ@SECURITYFOCUS.COM From: Michal Zalewski lcamtuf@DIONE.IDS.PL Subject: Re: sperl 5.00503 (and newer ;) exploit To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: Pine.LNX.4.21.0008051825300.26685-101000@dione.ids.pl X-Filter: mailagent [version 3.0 PL54] for merlyn@stonehenge.com Lines: 42 Xref: halfdome.holdit.com list.bugtraq:11853 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii

On Sat, 5 Aug 2000, Michal Zalewski wrote:

Below you'll find brief description of vulnerability and exploit itself [..]

Ok, I decided to describe it with details.

a) If you'll try to fool perl, forcing it to execute one file instead of another (quite complicated condition, refer to source code), it generates such mail to administrator:

From: Bastard Operator <root@nimue.tpi.pl>
To: root@nimue.tpi.pl

User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183! (Filename of set-id script was /some/thing, uid 500 gid 500.)

Sincerely, perl

It is sent using /bin/mail root call with environment preserved.

This condition is quite easy to reach - my code is extermely ugly and slow (it's written in bash), so it requires reasonably fast machine (like pII/pIII x86 box). It can be optimized, of course.

b) In this mail, you'll find script name, taken from argv[1].

c) /bin/mail has undocumented feature; if interactive=something, it will interpret ~! sequence even if not running on the terminal; it is not safe to use /bin/mail at privledged level.

Three things, combined, allows you to execute command using ~! passed in script name. This command creates suid shell.

Voila, again.


Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=

p5pRT commented 24 years ago

From [Unknown Contact. See original ticket]

Randal L. Schwartz (lists.p5p)​:

Ooops.

This was here yesterday. I fixed it. I emailed the fix to him ten minutes after he submitted the bug report. He didn't recognize the existence of the fix on Bugtraq. What else can you do? :/

p5pRT commented 24 years ago

From [Unknown Contact. See original ticket]

Nathan Torkington (lists.p5p)​:

(send it to p5p if you didn't already\, for sanity checking)

I did!

http​://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00347.html

It just basically dykes out the /bin/mail code.

p5pRT commented 24 years ago

From [Unknown Contact. See original ticket]

Simon Cozens writes​:

This was here yesterday. I fixed it. I emailed the fix to him ten minutes after he submitted the bug report. He didn't recognize the existence of the fix on Bugtraq. What else can you do? :/

We need to get this fix (send it to p5p if you didn't already\, for sanity checking) out to the vendors ASAP. Jarkko\, you have a list of vendor contact info?

Nat

p5pRT commented 24 years ago

From @jhi

On Mon\, Aug 07\, 2000 at 08​:39​:44AM -0600\, Nathan Torkington wrote​:

Simon Cozens writes​:

This was here yesterday. I fixed it. I emailed the fix to him ten minutes after he submitted the bug report. He didn't recognize the existence of the fix on Bugtraq. What else can you do? :/

We need to get this fix (send it to p5p if you didn't already\, for sanity checking) out to the vendors ASAP. Jarkko\, you have a list of vendor contact info?

Not "official" ones\, no\, but I know some people in various companies. (please feel free to send me any contacts you happen to know of)

As for the actual message​: I have already prepared patches for 5.6.0\, 5.005_03\, and 5.004_05 (they all are basically the same\, they remove the /bin/mail code completely)\, and a security incident message\, on which I'm still working on.

Nat