Bugtraq mailing list archives
Re: sperl 5.00503 (and newer ;) exploit
From: Paul Szabo <psz () MATHS USYD EDU AU>
Date: Tue, 8 Aug 2000 19:23:11 +1000
(Elias: you may want to pass this on to the list, as it seems not all readers were aware that the replacement string must be the same length.) I wrote:
There have been some source patches posted. But what if you are too lazy (or busy) to re-build perl (or the person who built it is on holidays)? Use a binary editor to patch the suidperl binary, something like: cd /usr/local/bin cp -i suidperl suidperl.ORIG perl -pe 's/mail root/NOmailZZZ/' < suidperl.ORIG > suidperl chmod 4711 suidperl
One reader wondered how can the replaced executable still work:
Do you really think that this executable will do anything apart from just dumping core? $ cp /usr/bin/perl . ; perl -pi -e 's,root,r00th,' perl $ ./perl Segmentation fault (core dumped)
Note that the replacement string MUST be the same length. Sorry, I should have mentioned that in my original message. Another reader wondered about its effectiveness:
...and what if someone will create symlink NOmailZZZ -> /bin/mail?;>
Note that the full string in suidperl is '/bin/mail root', so my replaced suidperl would attempt to invoke /bin/NOmailZZZ. If your attacker can create a symlink in /bin then you are already toast, and he should not bother messing around with suidperl. Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- Re: sperl 5.00503 (and newer ;) exploit, (continued)
- Re: sperl 5.00503 (and newer ;) exploit Francis J. Lacoste (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Greg A. Woods (Aug 09)
- Re: sperl 5.00503 (and newer ;) exploit Thomas Roessler (Aug 10)
- Re: sperl 5.00503 (and newer ;) exploit H. Peter Anvin (Aug 11)
- Re: sperl 5.00503 (and newer ;) exploit Francis J. Lacoste (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Solar Designer (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Matthew Kirkwood (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Randal L. Schwartz (Aug 10)