Re: (debian) Re: suidperl; more

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

BTW: FreeBSD 4.0 isn't vulnerable (for a few reasons):

The First is the same as Debian:
suidperl calls /bin/mail (it's hardcoded) and FreeBSD uses /usr/bin/mail

Also, there is no /bin/bash.  If you install the bash package, it's
/usr/local/bin/bash

If I symlink /bin/mail --> /usr/bin/mail and modify the script so that
boomsh calls /bin/sh, this exploit does work with FreeBSD 4.0.

I've long since gotten rid of my FreeBSD 3.x and 2.x boxen, so I don't have
a good way to test old FreeBSD releases.  I'll try OpenBSD 2.7 and NetBSD
1.4.2 when I get home.  I'm guessing the recent releases of all *BSD are
probably not vulnerable due to the location of mail (and the fact that
/bin/bash doesn't exist, but any script kiddie can change the script to
/bin/sh).

Noah Dunker

Network Security Engineer
FishNet Security
816.421.6611
http://www.fishnetsecurity.com

-----Original Message-----
From: Alexander Oelzant [mailto:aoe () OEH NET]
Sent: Tuesday, August 08, 2000 8:04 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: (debian) Re: suidperl; more


On Mon, Aug 07, 2000 at 06:07:57PM +0200, Sebastian wrote:
> So far, there are more security-releated apps which use /bin/mail
> for logging

Debian again proves to be highly security-aware: it does not even
have a /bin/mail and is thus safe from this very attack. Of course,
using /usr/bin/mail works fine, so any applications where /bin/mail
was not hardcoded would be affected.

hth
   Alexander

--
Alexander Oelzant               alexander () oelzant priv at