OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sperl 5.00503 (and newer ;) exploit
From: Simon Cozens (simonOTHERSIDEOFTHE.EARTH.LI)
Date: Mon Aug 07 2000 - 04:34:09 CDT

Michal Zalewski (lists.security):
>Requires: +s perl; bash, gcc, make, usleep (yup, usleep; it's not
>available on every system, but I have no time to rewrite everything in C;
>you can grab this code from RedHat distro or so) will be good... Don't
>mail me if you can't use it - it works.

Michal reported this to the perl5-porters last night, and I mailed him back
after a few minutes with a fix. (+10 points for contacting vendors in advance
of contacting Bugtraq, -5 points for not pointing out a fix is available. :)

That fix, which just crudely dykes out the /bin/mail code is available at
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-08/msg00347.html
or, if you're desperate, here:

--- perl.c~ Sun Aug 6 22:08:32 2000
+++ perl.c Sun Aug 6 22:10:13 2000
-2851,6 +2851,7
            if (tmpstatbuf.st_dev != PL_statbuf.st_dev ||
                tmpstatbuf.st_ino != PL_statbuf.st_ino) {
                (void)PerlIO_close(PL_rsfp);
+#ifdef DISGUSTINGLY_INSECURE
                if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) { /* heh, heh */
                    PerlIO_printf(PL_rsfp,
 "User %"Uid_t_f" tried to run dev %ld ino %ld in place of dev %ld ino %ld!\n\
-2860,7 +2861,8
                        CopFILE(PL_curcop),
                        PL_statbuf.st_uid, PL_statbuf.st_gid);
                    (void)PerlProc_pclose(PL_rsfp);
- }
+ }
+#endif
                Perl_croak(aTHX_ "Permission denied\n");
            }
            if (

Allow for a bit of fuzz if you're patching pre-5.6.0, and have a nice
day. 

--
If I ever manage to lose the weight I put on in 18 months of be $PHB and
having no life, I am *really* going to have to go shopping for some
PVC. - Skud, the other place.