Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux

Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux

Jan B. Koum (jkbBEST.COM)
Fri, 15 Jan 1999 00:14:01 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Casper Dik: "Re: ff.core exploit on Solaris (2.)7"
Previous message: Jon Ross: "Re: Checking for most recent Solaris Security Patches"
In reply to: Brian McCauley: "Secuity hole with perl (suidperl) and nosuid mounts on Linux"
Next in thread: Ollivier Robert: "Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux"

        This WAAAY far from it been a news. In FreeBSD mount man page
        we can read:

             nosuid  Do not allow set-user-identifier or set-group-identifier
                     bits to take effect.  Note: this option is worthless if a
                     public available suid or sgid wrapper like suidperl(1) is
                     installed on your system.

        This man page has been in public domain for a long time too. :)

-- Yan


On Thu, Jan 14, 1999 at 05:58:15PM +0000, Brian McCauley <B.A.McCauleyBHAM.AC.UK> wrote:
> The following message is a courtesy copy of an article
> that has been posted to comp.os.linux.misc,comp.os.linux.development.system,comp.lang.perl.misc as well.
>
> The suid script emulation in Perl 5.0004_4 (as found in SuSE Linux 5.3
> and doubtless other Linux distributions) fails to take account of the
> nosuid mount option on filesystems.
>
> This means that it is trivial for a resourceful user to hide a setuid
> perl script on a CD or floppy and then use it to become root.  Many
> systems are (even by default) configured to allow users mount floppys
> and CDs nosuid.
>
> The most obvious fix to Perl for this would be (where available) to
> use fstatvfs() (as defined in SUSv2) to determine if the script is on
> a filesystem that is mounted with the nosuid option.
>
> Unfortunately fstatvfs() is not implemented in Linux (as of 2.2pre1).
> It would not be difficult to add the new system call.  Indeed the
> existing fstatfs() implementation could simply be modified to
> implement fstatvfs() semantics and both syscalls could then point to
> the same code.
>
> This vulerability will exist in all Unicies that use a user-space
> implementation of suid-scripts and impelment a nosuid mount option in
> such a way that it does not modify the values returned by fstat().
>
> It is worth noting that that other suid-aware script-interpreters will
> probalby also display this vulnerability on Linux because of the
> absense of fstatvfs().
>
> --
>      \\   ( )  No male bovine  | Email: B.A.McCauleybham.ac.uk
>   .  _\\__[oo   faeces from    | Phones: +44 121 471 3789 (home)
>  .__/  \\ /\  /~)  /~[   /\/[ |   +44 121 627 2173 (voice) 2175 (fax)
>  .  l___\\    /~~) /~~[  /   [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
>   # ll  l\\  ~~~~ ~   ~ ~    ~ | http://www.wcl.bham.ac.uk/~bam/
>  ###LL  LL\\ (Brian McCauley)  |

Next message: Casper Dik: "Re: ff.core exploit on Solaris (2.)7"
Previous message: Jon Ross: "Re: Checking for most recent Solaris Security Patches"
In reply to: Brian McCauley: "Secuity hole with perl (suidperl) and nosuid mounts on Linux"
Next in thread: Ollivier Robert: "Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux"