Bugtraq mailing list archives

Re: sperl 5.00503 (and newer ;) exploit

From: "Greg A. Woods" <woods () weird com>
Date: Tue, 8 Aug 2000 14:27:03 -0400

[ On Monday, August 7, 2000 at 14:58:08 (-0400), Francis J. Lacoste wrote: ]

Subject: Re: sperl 5.00503 (and newer ;) exploit


Regarding the suidperl / mailx security problem, here are
two patches which closes the hole in perl and in mailx.

The perl bug is closed by using syslog rather than /bin/mail

The mailx patch (against 8.1.1 + redhat/debian patches) does
the following :

      - Do not lookup options in the environment.
      - Do not read rc files when running with uid != euid
      - Unset interactive when sending mail with uid != euid
        or when stdin is not a tty.


I've been rather dismayed by the number of people posting patches which
claim to "fix" mailx, aka BSD Mail.  One could contend that it's not
even broken in the first place!

This mail user agent, like almost all others except perhaps the original
V7 /bin/mail (which is the only version of '/bin/mail' Perl was no doubt
expecting to use!), was never really designed to be used safely by root,
either for sending or reading e-mail, and it most certainly was not
designed to be used for sending e-mail safely from a privileged
application!  Now I've probably been guilty of doing all of the above at
one time or another, but that doesn't mean it is safe to do!

While patches such as these which have been proposed address the
currently discovered "features", those of us who remember playing with
restricted shells on commercial Unixes in days gone by will also know
that this is probably far from the only way a privileged application
could be fooled into giving away its privileges should it be foolish
enough to call upon something like mailx.

While the ultimate error may be in the fallacy of having a setuid script
interpreter, the mistake in this particular instance falls upon the
linux vendors who chose to offer a /bin/mail that radically changed the
assumptions an application like perl could be safe in making.

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
  - Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
    - Re: sperl 5.00503 (and newer ;) exploit Joey Hess (Aug 07)
  - Re: sperl 5.00503 (and newer ;) exploit Pixel (Aug 07)
  - Re: sperl 5.00503 (and newer ;) exploit Francis J. Lacoste (Aug 07)
    - Re: sperl 5.00503 (and newer ;) exploit Greg A. Woods (Aug 09)
    - Re: sperl 5.00503 (and newer ;) exploit Thomas Roessler (Aug 10)
    - Re: sperl 5.00503 (and newer ;) exploit H. Peter Anvin (Aug 11)
- Re: sperl 5.00503 (and newer ;) exploit Kyle Sparger (Aug 07)
- <Possible follow-ups>
- Re: sperl 5.00503 (and newer ;) exploit Paul Rogers (Aug 07)
  - Re: sperl 5.00503 (and newer ;) exploit Solar Designer (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 07)
  - Re: sperl 5.00503 (and newer ;) exploit Matthew Kirkwood (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 09)

(Thread continues...)