Vulnerability Development mailing list archives
Some work needed
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Sun, 6 Aug 2000 14:58:38 +0200
It's just another BQ cross-post, but I guess this is the right forum. I attached sperl up to 5.06 (I mean, all current versions) exploit. Unfortunately, it's poorly written - slow shell-script doing some brute-forcing, probably working only on fast Linux / BSD boxes. It gives root shell. What I ask you to do is spent some time to made it more usable - faster, more accurate and portable. This exploit is "proof of concept" tool, but C version will be simply better. So, anyone interested? Here's how it works (from BQ post, but I'm not sure if Aleph won't bounce it): -- snip! -- a) If you'll try to fool perl, forcing it to execute one file instead of another (quite complicated condition, refer to source code), it generates such mail to administrator: From: Bastard Operator <root () nimue tpi pl> To: root () nimue tpi pl User 500 tried to run dev 769 ino 343180 in place of dev 769 ino 343183! (Filename of set-id script was /some/thing, uid 500 gid 500.) Sincerely, perl It is sent using /bin/mail root call with environment preserved. This condition is quite easy to reach - my code is extermely ugly and slow (it's written in bash), so it requires reasonably fast machine (like pII/pIII x86 box). It can be optimized, of course. b) In this mail, you'll find script name, taken from argv[1]. c) /bin/mail has undocumented feature; if interactive=something, it will interpret ~! sequence even if not running on the terminal; it is not safe to use /bin/mail at privledged level. Three things, combined, allows you to execute command using ~! passed in script name. This command creates suid shell. -- snip! -- You can find more comments in attached source. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Attachment:
xperl.sh
Description:
Current thread:
- Some work needed Michal Zalewski (Aug 06)
- Re: Some work needed Jonathan Leto (Aug 07)
- Re: Some work needed Michal Zalewski (Aug 08)
- Re: Some work needed White Vampire (Aug 09)
- Re: Some work needed Luis Pinto (Aug 08)
- Re: Some work needed White Vampire (Aug 09)
- Re: Perl exploit (was: Some work needed) Rafal Wojtczuk (Aug 08)
- Re: Some work needed Jonathan Leto (Aug 07)