Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential setuid security hole #1614

Closed
p5pRT opened this issue Mar 29, 2000 · 3 comments
Closed

Potential setuid security hole #1614

p5pRT opened this issue Mar 29, 2000 · 3 comments

Comments

@p5pRT
Copy link

p5pRT commented Mar 29, 2000

Migrated from rt.perl.org#2851 (status was 'resolved')

Searchable as RT2851$

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2000

From thospel@mail.dma.be

Consider​:
- a setuid script without -T in the arguments puts . in @​INC
- eval { require something; } is a standard coding technique.

So all you have to do to execute any code as the setuid user is find
a program path where it will check for an option that is in fact not installed
on your system. Make sure that you have a file something.pm with your code
in your current directory and you're home free.

Other ways of having the system fail to read the installed system modules
should also work (run the system out of memory at the critical moments ?)

I couldn't directly find a trivial exploit with the standard distribution,
since I tend to have everything compiled in, and all my requires in fact
work.

A few good candidates​:
- lib​::AnyDBM_File is a direct hit if you don't have NDBM_File
- Sys​::Hostname is fun if you can get it to go for syscall.ph (half the
  world never ran h2ph). (Un)fortunately we now have the Hostname XS module
  which tends to succeed.
- CPAN has a lot of nice feature tests. But who puts CPAN in a setuid
  root program ?

Solution​:
- No . in @​INC in a setuid script.
(or make the . tainted, but that's too ugly)

--
Security moves forward one hack at a time

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2000

From [Unknown Contact. See original ticket]

Consider​:
- a setuid script without -T
  ^^^^^^^^^^^^^^^^^^^^^^^^

I think you're forgetting something.

--tom

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2000

From [Unknown Contact. See original ticket]

On Thu, Mar 30, 2000 at 04​:01​:14AM +0000, Ton Hospel wrote​:

Consider​:
- a setuid script without -T in the arguments puts . in @​INC

A setuid script that doesn't have -T in its argument list still has tainting
enabled. One has to explicitly disable tainting with -U. If one does, one
deserves what one gets.

Michael
--
Administrator www.shoebox.net
Programmer, System Administrator www.gallanttech.com
--

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant