Bugtraq mailing list archives
Re: sperl 5.00503 (and newer ;) exploit
From: "Randal L. Schwartz" <merlyn () STONEHENGE COM>
Date: Wed, 9 Aug 2000 14:20:05 -0700
"Simon" == Simon Cozens <simon () OTHERSIDEOFTHE EARTH LI> writes:
Simon> You didn't say which version of Perl this was from, but versions prior Simon> to 5.6.0 use csh for globbing. ("<*.foo>" and so on.) Simon> I *believe* this was sanity checked for naughty input ("<*|rm Simon> -rf />") etc. but I can't verify that right now because I Simon> don't have <5.6.0 handy, but even if not, this would require Simon> programmer insecurity, not Perl insecurity. Simon> By which I mean, if you're writing Simon> @foo = <*|rm -rf />; Simon> in a setuid script, you get what's coming to you. If you're doing that Simon> with *external input* in a suid root program, you deserve to be hung, drawn, Simon> quartered and then really, really hurt. No, it was not checked. Try this in any pre 5.6 Perl: print <;echo guess who;date>; You'll get something like guess who Wed Aug 9 14:17:13 PDT 2000 And this has been known since at least the time I was constructing JAPHs circa 1990, because I used it for one of them: Date: 28 Feb 90 01:32:25 GMT From: merlyn () iwarp intel com (Randal Schwartz) @a=<;echo Just another Perl hacker,>; print join(" ",@a); And that's been replicated to CPAN mirrors all over the world, such as <http://cpan.perl.org/misc/japh>. If taint mode (command line -T, or setuid detected) was enabled, all globbing was fatal, but I think that only went in around 5.004 (about two years ago). -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Current thread:
- Re: sperl 5.00503 (and newer ;) exploit, (continued)
- Re: sperl 5.00503 (and newer ;) exploit Thomas Roessler (Aug 10)
- Re: sperl 5.00503 (and newer ;) exploit H. Peter Anvin (Aug 11)
- Re: sperl 5.00503 (and newer ;) exploit Kyle Sparger (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Paul Rogers (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Solar Designer (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Matthew Kirkwood (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 08)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 09)
- Re: sperl 5.00503 (and newer ;) exploit Randal L. Schwartz (Aug 10)