OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sperl 5.00503 (and newer ;) exploit
From: Paul Szabo (pszMATHS.USYD.EDU.AU)
Date: Tue Aug 08 2000 - 04:23:11 CDT

(Elias: you may want to pass this on to the list, as it seems not all
readers were aware that the replacement string must be the same length.)

I wrote:

> There have been some source patches posted. But what if you are too lazy
> (or busy) to re-build perl (or the person who built it is on holidays)?
> Use a binary editor to patch the suidperl binary, something like:
>
> cd /usr/local/bin
> cp -i suidperl suidperl.ORIG
> perl -pe 's/mail root/NOmailZZZ/' < suidperl.ORIG > suidperl
> chmod 4711 suidperl

One reader wondered how can the replaced executable still work:

> Do you really think that this executable will do anything apart from
> just dumping core?
> $ cp /usr/bin/perl . ; perl -pi -e 's,root,r00th,' perl
> $ ./perl
> Segmentation fault (core dumped)

Note that the replacement string MUST be the same length. Sorry, I should
have mentioned that in my original message.

Another reader wondered about its effectiveness:

> ...and what if someone will create symlink NOmailZZZ -> /bin/mail?;>

Note that the full string in suidperl is '/bin/mail root', so my replaced
suidperl would attempt to invoke /bin/NOmailZZZ. If your attacker can
create a symlink in /bin then you are already toast, and he should not
bother messing around with suidperl.

Paul Szabo - pszmaths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia