Bugtraq mailing list archives
Buffer overflow in sperl5.003
From: jtmurphy () CRAY1 ECST CSUCHICO EDU (Murphy)
Date: Thu, 17 Apr 1997 14:11:09 -0700
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. ---242971389-615984271-861311469=:24662 Content-Type: TEXT/PLAIN; charset=US-ASCII Its came to my attention that there is a buffer overflow bug in sperl5.003 that will allow local users gain root access, if SUID root. The exploit and bug was made and brought to my attention by Willy Tarreau (tarreau () aemiaif ibp fr). Attached is the source for the exploit. Since it requires some work to be done to the compiled exploit (Stripping of 5 byte at the begining and end of the binary), the precompiled Linux x86 exploit can be found at http://www.ecst.csuchico.edu/~jtmurphy/localusers.html. PS. Have a nice a day. -- ---------------------------------------------------------------------------- Jason T. Murphy | Finger for PGP Public Key | jtmurphy () ecst csuchico edu The Linux Security Home Page -> http://www.ecst.csuchico.edu/~jtmurphy Security buff, Linux Freak, PC Tech @ Chico State, and all around nice guy. ---242971389-615984271-861311469=:24662 Content-Type: APPLICATION/octet-stream; name="sperlexp.tgz" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.970417141109.24662B () cray1 ecst csuchico edu> Content-Description: H4sIAFcBVTMAA+1a3W7bRhb2rWf3IY6VdCW5FEXq17Wboq5joNk2sRHL6AZt kY7IkTQIf7TDoSyi6GKBvepF36WPsBd7tcA+xD7G3u05Q0p2ksJuCltG0PkS WyJneOZwZr7znUMzmwsVtbfuFNDzhkMftgBgOOybT7/XM58VPIBBt9PveF7f G2Cr7/e7W9C/W7dK5JnmCmALfyvB82v6CZVtwqHNIjPrr1XBo8g1B7c/hu95 w/416z/sDsr194eDbh/3gt8ddAZb4N2+K2/jd77+D3baY5m0dZDN2APQMwHZ TEQRJDwWIDOYyoVIYFxAXQSzFFoJuK5bB56EEOPUwViAWPJARwUMIZhxlcFM KOGgsVRBkeZ1NDbjCwE6hTgN5aQoR9E8eAVjngmYYEc6Vf/y+LAOMsm0ygMt 0wS/UwOaytJcBdhDLEXg8r1B3cWTL9IcAp5AkM4LaOeZMnciQxqpreO5cVLl iTmg82Ra8NCF0YzrOt5bmlLn1GXm3mqn6MDZMTw+gWcnIzjHr6PPn5zB6ASO nh8efQGHcPbibHT81IHPzkfw5/OzEbWNjvHzxcn587NvduhfjWVCw4JH8AgD 2dBjFzMZCWg8pFMfg9/pec1ywJEqZDIFamBr/w0H+67ndeE7t63m2rQfBFyD uXvsc7Bainp5xax+4LZFNgeMn9+xT2nsDz9kIgnZzetf8v/58eHjp8d3tceQ /4OBdw3/O70V/4fdYQdbO37Xt/zfBI5mAnmIPFUw53pmyFhtwSXCgXweco2h QFdshCxQEnflVckgpjFimtQu0ZI4nwgRAgcKLERIatUzDCjl5S6cmOhgCFxe CTFPcjRZuOwkgbiADixwyjEOZA6sWeEbVl+SxKEriRi5FhmOp9JUVyGMa4b8 67qMjdBtwbNCYMC64MVr/uB/PMxkPMcQpos5RpmYvxJ1F55QjDiN8mnrWes0 wsv2W03GHqdJHa2kShXAx2muzaTUMjGNRaK5iVsTnke6RgGwNiHum2CKgQai NJnWIBZZxqcic8kxtKKwR6piDA+ZTDDMXcZHdE6JCyW1xiC8w9hXEucHRuVW Zazas59yEUsuJ64cz92J+hWsv0TJ/6d4x+Tp3ewx4n/vGv73r+h/x+8T/4de 1/J/E0DC7QNpBynNSmDYtvtaSshYEAme7LNtFUNrsu6/66aw+zcUYCUYe2CA ujxCocf9tLbmvJkGIPf2AXi2N4DWeN0NVuKOJojjyILyUqRAnC5KWvRhIhWy mDr0IeKUgRTE/AuJwYsD2uFITBFKjexrjAVfNNHeE5irdCHDiltlNkF5islK yFkaJ09CXGNNtmfpBQUWpPkrpCnd1TvCMPWdmHg/KPmPC+oGdzbGDfzvdHqX /B/2u8T/Tqdv+b8JtHdvDW3W3gU44lGQR5QyXMrYPJWJFooS03yV76O0ISen iscunBnZQ76FqchIXqEytiAyYxZQYLERYHKi0hjSRKyuJPbyJMWBFCX3a36T 3JocwDHHlTEldK4SzEpKNyjzwOoF1zVcRQ9TEPAgyBUPCioTBKDAz1HjKVFI sMfasyrQTEi3MeFIcSD8xFuozAZpgim7SPAnvOomFjeU81eojGFnzWVCDRwn S5kkIp3g+VC48BVXpmlnx3hUer++GarCzJStjJkoy5OCDEidQa+KkFSVoCOe Q3kJxTaMUOQp+lvHWoG6l85h6rM2tqqx5pT/lLOkpguTMeVjjdOEobjySKdX CzuBMyOoeiTPK2PSOJDpECfVfdeAukZl7Hbw24yVadgvG7tFOrEHyIsox139 MU6aTN3ZJ4xllGMGuBsjiUSYClzaeaMJ3zOAly95Fr982cAMM11E8AG2OB8I voRa84D9wFiMewwaSEVaxMAx5Trs7tKKlgYoPUUVzOSUdhZefoAnqX8oAh49 8uiQzkygQRY+8ZtVC9eppFOLr/1vm1UvvPzRyr2W6UYNE8pmReNP5FvP8Z1y NzSvbfrhPdDR9xWl/mMyd3/67/e6w3X93xl4Rv+79vnfRnCLAWt3F0mMEnWp 7KuyGkvLKINVrVw+UkzyeIx6iKpj5MmFzwoMJqZyNqpNtqiFpNdb9nxo1A/r TbiYSUwEsOJQGCbSJMxQzhLSMMowIjg6PSeNqWHgBBEsa1TFk6UgzaOwlMax oAeaQlNCgl1xXeHZySk0vOVHXtOBsfESB6XoiPpGqYXJSf6aY3QiW3MUSc3H ERUS5rlIhuW7Ng8YjL6JSAQmFUjXD0xoSPP4AC8/TIoLXjhQe/LsCI6P/lJb Zz2YSdBwVH+sTqETybTMaigZqGfoOd6FxArGIWPkwYSShmrCx4onwUxkq4c1 sQxDdBRnmfITZ5WgmKcfpP/UB8XfJVvst+kgu80dhKL3i6pH0nWdclGTrISH 8suGfEOT5IFslfOPC5hrMtCgbdU8AMAMoNovJOGoXEupG97vQ3iq+q8qve9m jJue//hDbxX/+/2eef7T92z83wi2MVWkne9gOGXbS6QOJowO/rDteZ7NwHyL BAcxXjpfY6fW8Fu2zUOTHjp+52q38tsYvxmjIdoJqgMeOb7Ptomm3nLPY9v3 fd8WJa7wH0vauxnjJv5D9fefbr8zMLHA79i//24IP/7X/+fpT988/N8//vXH 07Mf//3zH/7z9/v2yWJzeO39j6lIhJK3Xgje9P5Hf9i78v5Pj1p9r2P5vwlc ff/j8r2Fj/befm3BW7220Erg+enIvJYA++zh7q95T4HewLjmPYUrb0y8PXSn t5mhcZg3h+7t3eXQ9732FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYW FhYWFhYWFhYW7yf+D4S0HUYAUAAA ---242971389-615984271-861311469=:24662--
Current thread:
- Sendmail Vulnerability. Alan Brown (Apr 14)
- TcpWrappers and Sendmail Neil Harkins (Apr 15)
- Handy change I made in ltread.c Nathan D. Faber (Apr 15)
- NIS+ and signed directory objects Sun Security Coordination (Apr 15)
- Update on PHP/FI hole Shamanski (Apr 16)
- Buffer overflow in sperl5.003 Murphy (Apr 17)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- Re: Buffer overflow in sperl5.003 Jon Lewis (Apr 19)
- [NTSEC] ALERT - NT security flaw announcement Aleph One (Apr 18)
- Beta testers wanted for new security tool! Alfred Huger (Apr 18)
- IRIX 6.x /cgi-bin/wrap bug J.A. Gutierrez (Apr 19)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- PHP/FI command line buffer overflow David Sacerdote (Apr 17)
- Sun Security Bulletin #00138 Aleph One (Apr 17)