OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sperl 5.00503 (and newer ;) exploit
From: Randal L. Schwartz (merlynSTONEHENGE.COM)
Date: Wed Aug 09 2000 - 16:20:05 CDT

>>>>> "Simon" == Simon Cozens <simonOTHERSIDEOFTHE.EARTH.LI> writes:

Simon> You didn't say which version of Perl this was from, but versions prior
Simon> to 5.6.0 use csh for globbing. ("<*.foo>" and so on.)

Simon> I *believe* this was sanity checked for naughty input ("<*|rm
Simon> -rf />") etc. but I can't verify that right now because I
Simon> don't have <5.6.0 handy, but even if not, this would require
Simon> programmer insecurity, not Perl insecurity.

Simon> By which I mean, if you're writing
Simon> foo = <*|rm -rf />;
Simon> in a setuid script, you get what's coming to you. If you're doing that
Simon> with *external input* in a suid root program, you deserve to be hung, drawn,
Simon> quartered and then really, really hurt.

No, it was not checked. Try this in any pre 5.6 Perl:

    print <;echo guess who;date>;

You'll get something like

    guess who
    Wed Aug 9 14:17:13 PDT 2000

And this has been known since at least the time I was constructing
JAPHs circa 1990, because I used it for one of them:

    Date: 28 Feb 90 01:32:25 GMT
    From: merlyniwarp.intel.com (Randal Schwartz)
    a=<;echo Just another Perl hacker,>; print join(" ",a);

And that's been replicated to CPAN mirrors all over the world, such
as <http://cpan.perl.org/misc/japh>.

If taint mode (command line -T, or setuid detected) was enabled, all
globbing was fatal, but I think that only went in around 5.004 (about
two years ago). 

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlynstonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!