Re: sperl 5.00503 (and newer ;) exploit

[Paul Szabo <psz () MATHS USYD EDU AU>]

(Elias: you may want to pass this on to the list, as it seems not all
readers were aware that the replacement string must be the same length.)

I wrote:

> There have been some source patches posted. But what if you are too lazy
> (or busy) to re-build perl (or the person who built it is on holidays)?
> Use a binary editor to patch the suidperl binary, something like:
>
>   cd /usr/local/bin
>   cp -i suidperl suidperl.ORIG
>   perl -pe 's/mail root/NOmailZZZ/' < suidperl.ORIG > suidperl
>   chmod 4711 suidperl

One reader wondered how can the replaced executable still work:

> Do you really think that this executable will do anything apart from
> just dumping core?
> $ cp /usr/bin/perl . ; perl -pi -e 's,root,r00th,' perl
> $ ./perl
> Segmentation fault (core dumped)

Note that the replacement string MUST be the same length. Sorry, I should
have mentioned that in my original message.

Another reader wondered about its effectiveness:

> ...and what if someone will create symlink NOmailZZZ -> /bin/mail?;>

Note that the full string in suidperl is '/bin/mail root', so my replaced
suidperl would attempt to invoke /bin/NOmailZZZ. If your attacker can
create a symlink in /bin then you are already toast, and he should not
bother messing around with suidperl.

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia