Re: sperl 5.00503 (and newer ;) exploit

["Randal L. Schwartz" <merlyn () STONEHENGE COM>]

> > > > > "Simon" == Simon Cozens <simon () OTHERSIDEOFTHE EARTH LI> writes:

Simon> You didn't say which version of Perl this was from, but versions prior
Simon> to 5.6.0 use csh for globbing. ("<*.foo>" and so on.)

Simon> I *believe* this was sanity checked for naughty input ("<*|rm
Simon> -rf />") etc.  but I can't verify that right now because I
Simon> don't have <5.6.0 handy, but even if not, this would require
Simon> programmer insecurity, not Perl insecurity.

Simon> By which I mean, if you're writing
Simon>     @foo = <*|rm -rf />;
Simon> in a setuid script, you get what's coming to you. If you're doing that
Simon> with *external input* in a suid root program, you deserve to be hung, drawn,
Simon> quartered and then really, really hurt.

No, it was not checked.  Try this in any pre 5.6 Perl:

    print <;echo guess who;date>;

You'll get something like

    guess who
    Wed Aug  9 14:17:13 PDT 2000

And this has been known since at least the time I was constructing
JAPHs circa 1990, because I used it for one of them:

    Date:         28 Feb 90 01:32:25 GMT
    From:         merlyn () iwarp intel com (Randal Schwartz)
    @a=<;echo Just another Perl hacker,>; print join(" ",@a);

And that's been replicated to CPAN mirrors all over the world, such
as <http://cpan.perl.org/misc/japh>.

If taint mode (command line -T, or setuid detected) was enabled, all
globbing was fatal, but I think that only went in around 5.004 (about
two years ago).

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!