Re: BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd)

[taob () IO ORG (Brian Tao)]

On Sun, 30 Jun 1996, Dan Polivy wrote:
> Does /bin/bash exist on your system?  Is the script setuid to
> anything?   (It should have either the user or group +s, i think)  It
> worked for me on my FreeBSD machines (2.1 and -stable)...

    Small glitch on my mistake... I had tried the script as originally
presented to me, with #!/usr/bin/perl.  Changing that to suidperl
alters the results (I thought perl automatically fed a setuid script
to suidperl).

    On a BSD/OS 2.0 system, running the script produces "Can't swap
uid and euid.".  The exploit works on my FreeBSD systems from 2.1R
through to 2.2-960501-SNAP.  2.2-960612-SNAP appears to have already
fixed the problem.  I imagine the recent 2.1.5 snapshots are not
vulnerable either, but I haven't had a chance to verify.
--
Brian Tao (BT300, taob () io org, taob () ican net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"