[LWN Logo]
[Timeline]
Date:         Sat, 5 Aug 2000 19:19:36 +0200
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Subject:      Re: sperl 5.00503 (and newer ;) exploit
To: BUGTRAQ@SECURITYFOCUS.COM

On Sat, 5 Aug 2000, Michal Zalewski wrote:

> Below you'll find brief description of vulnerability and exploit itself
> [..]

Ok, I decided to describe it with details.

a) If you'll try to fool perl, forcing it to execute one file instead
   of another (quite complicated condition, refer to source code), it
   generates such mail to administrator:

    From: Bastard Operator <root@nimue.tpi.pl>
    To: root@nimue.tpi.pl

   User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183!
   (Filename of set-id script was /some/thing, uid 500 gid 500.)

   Sincerely,
   perl

   It is sent using /bin/mail root call with environment preserved.

   This condition is quite easy to reach - my code is extermely ugly and
   slow (it's written in bash), so it requires reasonably fast machine
   (like pII/pIII x86 box). It can be optimized, of course.

b) In this mail, you'll find script name, taken from argv[1].

c) /bin/mail has undocumented feature; if interactive=something, it will
   interpret ~! sequence even if not running on the terminal; it is not
   safe to use /bin/mail at privledged level.

Three things, combined, allows you to execute command using ~! passed in
script name. This command creates suid shell.

Voila, again.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=