OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: (debian) Re: suidperl; more
From: Dunker, Noah (NDunkerFISHNETSECURITY.COM)
Date: Tue Aug 08 2000 - 15:45:18 CDT

BTW: FreeBSD 4.0 isn't vulnerable (for a few reasons):

The First is the same as Debian:
suidperl calls /bin/mail (it's hardcoded) and FreeBSD uses /usr/bin/mail

Also, there is no /bin/bash. If you install the bash package, it's
/usr/local/bin/bash

If I symlink /bin/mail --> /usr/bin/mail and modify the script so that
boomsh calls /bin/sh, this exploit does work with FreeBSD 4.0.

I've long since gotten rid of my FreeBSD 3.x and 2.x boxen, so I don't have
a good way to test old FreeBSD releases. I'll try OpenBSD 2.7 and NetBSD
1.4.2 when I get home. I'm guessing the recent releases of all *BSD are
probably not vulnerable due to the location of mail (and the fact that
/bin/bash doesn't exist, but any script kiddie can change the script to
/bin/sh).

Noah Dunker

Network Security Engineer
FishNet Security
816.421.6611
http://www.fishnetsecurity.com

-----Original Message-----
From: Alexander Oelzant [mailto:aoeOEH.NET]
Sent: Tuesday, August 08, 2000 8:04 AM
To: BUGTRAQSECURITYFOCUS.COM
Subject: (debian) Re: suidperl; more

On Mon, Aug 07, 2000 at 06:07:57PM +0200, Sebastian wrote:
> So far, there are more security-releated apps which use /bin/mail
> for logging

Debian again proves to be highly security-aware: it does not even
have a /bin/mail and is thus safe from this very attack. Of course,
using /usr/bin/mail works fine, so any applications where /bin/mail
was not hardcoded would be affected.

hth
   Alexander 

--
Alexander Oelzant 		alexanderoelzant.priv.at