From owner-freebsd-security Sun Apr 20 09:15:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA28435 for security-outgoing; Sun, 20 Apr 1997 09:15:43 -0700 (PDT) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA28430 for ; Sun, 20 Apr 1997 09:15:37 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id JAA11910; Sun, 20 Apr 1997 09:15:27 -0700 (PDT) Message-Id: <199704201615.JAA11910@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd011907; Sun Apr 20 16:15:26 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH To: igor@alecto.physics.uiuc.edu (Igor Roshchin) cc: Freebsd-security@freebsd.org, cschuber@uumail.gov.bc.ca Subject: Re: Buffer overflow in sperl5.003 (fwd) -- Is this relevant to FreeBSD ? In-reply-to: Your message of "Thu, 17 Apr 1997 23:02:07 CDT." <199704180402.XAA11899@alecto.physics.uiuc.edu> Date: Sun, 20 Apr 1997 09:15:25 -0700 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On one of my 2.1.6 systems at home, all I got was segmentation violations and bus errors, meaning if the right offset was used this exploit would work. Since sperl5.003 doesn't work on 2.1.x systems you're better off deleting the binary. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." > Hello! > > Does anybody know if this hole exists on FreeBSD ? > > Thanks! > > IgoR > > Forwarded message: > >From owner-bugtraq@NETSPACE.ORG Thu Apr 17 19:40:09 1997 > Approved-By: aleph1@UNDERGROUND.ORG > MIME-Version: 1.0 > Content-Type: MULTIPART/MIXED; BOUNDARY="-242971389-615984271-861311469=:2466 2" > Message-ID: > Date: Thu, 17 Apr 1997 14:11:09 -0700 > Reply-To: Murphy > Sender: Bugtraq List > From: Murphy > Subject: Buffer overflow in sperl5.003 > To: BUGTRAQ@NETSPACE.ORG > > This message is in MIME format. The first part should be readable text, > while the remaining parts are likely unreadable without MIME-aware tools. > Send mail to mime@docserver.cac.washington.edu for more info. > > ---242971389-615984271-861311469=:24662 > Content-Type: TEXT/PLAIN; charset=US-ASCII > > > Its came to my attention that there is a buffer overflow bug in > sperl5.003 that will allow local users gain root access, if SUID root. > The exploit and bug was made and brought to my attention by Willy Tarreau > (tarreau@aemiaif.ibp.fr). > Attached is the source for the exploit. Since it requires some work to > be done to the compiled exploit (Stripping of 5 byte at the begining and > end of the binary), the precompiled Linux x86 exploit can be found at > http://www.ecst.csuchico.edu/~jtmurphy/localusers.html. > > PS. Have a nice a day. > > -- > ---------------------------------------------------------------------------- > Jason T. Murphy | Finger for PGP Public Key | jtmurphy@ecst.csuchico.edu > The Linux Security Home Page -> http://www.ecst.csuchico.edu/~jtmurphy > Security buff, Linux Freak, PC Tech @ Chico State, and all around nice guy. > > ---242971389-615984271-861311469=:24662 > Content-Type: APPLICATION/octet-stream; name="sperlexp.tgz" > Content-Transfer-Encoding: BASE64 > Content-ID: > Content-Description: > > H4sIAFcBVTMAA+1a3W7bRhb2rWf3IY6VdCW5FEXq17Wboq5joNk2sRHL6AZt > kY7IkTQIf7TDoSyi6GKBvepF36WPsBd7tcA+xD7G3u05Q0p2ksJuCltG0PkS > WyJneOZwZr7znUMzmwsVtbfuFNDzhkMftgBgOOybT7/XM58VPIBBt9PveF7f > G2Cr7/e7W9C/W7dK5JnmCmALfyvB82v6CZVtwqHNIjPrr1XBo8g1B7c/hu95 > w/416z/sDsr194eDbh/3gt8ddAZb4N2+K2/jd77+D3baY5m0dZDN2APQMwHZ > TEQRJDwWIDOYyoVIYFxAXQSzFFoJuK5bB56EEOPUwViAWPJARwUMIZhxlcFM > KOGgsVRBkeZ1NDbjCwE6hTgN5aQoR9E8eAVjngmYYEc6Vf/y+LAOMsm0ygMt > 0wS/UwOaytJcBdhDLEXg8r1B3cWTL9IcAp5AkM4LaOeZMnciQxqpreO5cVLl > iTmg82Ra8NCF0YzrOt5bmlLn1GXm3mqn6MDZMTw+gWcnIzjHr6PPn5zB6ASO > nh8efQGHcPbibHT81IHPzkfw5/OzEbWNjvHzxcn587NvduhfjWVCw4JH8AgD > 2dBjFzMZCWg8pFMfg9/pec1ywJEqZDIFamBr/w0H+67ndeE7t63m2rQfBFyD > uXvsc7Bainp5xax+4LZFNgeMn9+xT2nsDz9kIgnZzetf8v/58eHjp8d3tceQ > /4OBdw3/O70V/4fdYQdbO37Xt/zfBI5mAnmIPFUw53pmyFhtwSXCgXweco2h > QFdshCxQEnflVckgpjFimtQu0ZI4nwgRAgcKLERIatUzDCjl5S6cmOhgCFxe > CTFPcjRZuOwkgbiADixwyjEOZA6sWeEbVl+SxKEriRi5FhmOp9JUVyGMa4b8 > 67qMjdBtwbNCYMC64MVr/uB/PMxkPMcQpos5RpmYvxJ1F55QjDiN8mnrWes0 > wsv2W03GHqdJHa2kShXAx2muzaTUMjGNRaK5iVsTnke6RgGwNiHum2CKgQai > NJnWIBZZxqcic8kxtKKwR6piDA+ZTDDMXcZHdE6JCyW1xiC8w9hXEucHRuVW > Zazas59yEUsuJ64cz92J+hWsv0TJ/6d4x+Tp3ewx4n/vGv73r+h/x+8T/4de > 1/J/E0DC7QNpBynNSmDYtvtaSshYEAme7LNtFUNrsu6/66aw+zcUYCUYe2CA > ujxCocf9tLbmvJkGIPf2AXi2N4DWeN0NVuKOJojjyILyUqRAnC5KWvRhIhWy > mDr0IeKUgRTE/AuJwYsD2uFITBFKjexrjAVfNNHeE5irdCHDiltlNkF5islK > yFkaJ09CXGNNtmfpBQUWpPkrpCnd1TvCMPWdmHg/KPmPC+oGdzbGDfzvdHqX > /B/2u8T/Tqdv+b8JtHdvDW3W3gU44lGQR5QyXMrYPJWJFooS03yV76O0ISen > iscunBnZQ76FqchIXqEytiAyYxZQYLERYHKi0hjSRKyuJPbyJMWBFCX3a36T > 3JocwDHHlTEldK4SzEpKNyjzwOoF1zVcRQ9TEPAgyBUPCioTBKDAz1HjKVFI > sMfasyrQTEi3MeFIcSD8xFuozAZpgim7SPAnvOomFjeU81eojGFnzWVCDRwn > S5kkIp3g+VC48BVXpmlnx3hUer++GarCzJStjJkoy5OCDEidQa+KkFSVoCOe > Q3kJxTaMUOQp+lvHWoG6l85h6rM2tqqx5pT/lLOkpguTMeVjjdOEobjySKdX > CzuBMyOoeiTPK2PSOJDpECfVfdeAukZl7Hbw24yVadgvG7tFOrEHyIsox139 > MU6aTN3ZJ4xllGMGuBsjiUSYClzaeaMJ3zOAly95Fr982cAMM11E8AG2OB8I > voRa84D9wFiMewwaSEVaxMAx5Trs7tKKlgYoPUUVzOSUdhZefoAnqX8oAh49 > 8uiQzkygQRY+8ZtVC9eppFOLr/1vm1UvvPzRyr2W6UYNE8pmReNP5FvP8Z1y > NzSvbfrhPdDR9xWl/mMyd3/67/e6w3X93xl4Rv+79vnfRnCLAWt3F0mMEnWp > 7KuyGkvLKINVrVw+UkzyeIx6iKpj5MmFzwoMJqZyNqpNtqiFpNdb9nxo1A/r > TbiYSUwEsOJQGCbSJMxQzhLSMMowIjg6PSeNqWHgBBEsa1TFk6UgzaOwlMax > oAeaQlNCgl1xXeHZySk0vOVHXtOBsfESB6XoiPpGqYXJSf6aY3QiW3MUSc3H > ERUS5rlIhuW7Ng8YjL6JSAQmFUjXD0xoSPP4AC8/TIoLXjhQe/LsCI6P/lJb > Zz2YSdBwVH+sTqETybTMaigZqGfoOd6FxArGIWPkwYSShmrCx4onwUxkq4c1 > sQxDdBRnmfITZ5WgmKcfpP/UB8XfJVvst+kgu80dhKL3i6pH0nWdclGTrISH > 8suGfEOT5IFslfOPC5hrMtCgbdU8AMAMoNovJOGoXEupG97vQ3iq+q8qve9m > jJue//hDbxX/+/2eef7T92z83wi2MVWkne9gOGXbS6QOJowO/rDteZ7NwHyL > BAcxXjpfY6fW8Fu2zUOTHjp+52q38tsYvxmjIdoJqgMeOb7Ptomm3nLPY9v3 > fd8WJa7wH0vauxnjJv5D9fefbr8zMLHA79i//24IP/7X/+fpT988/N8//vXH > 07Mf//3zH/7z9/v2yWJzeO39j6lIhJK3Xgje9P5Hf9i78v5Pj1p9r2P5vwlc > ff/j8r2Fj/befm3BW7220Erg+enIvJYA++zh7q95T4HewLjmPYUrb0y8PXSn > t5mhcZg3h+7t3eXQ9732FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYW > FhYWFhYWFhYW7yf+D4S0HUYAUAAA > ---242971389-615984271-861311469=:24662-- > >