From owner-freebsd-security Thu Aug 10 10:29:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 61B7C37B7A7 for ; Thu, 10 Aug 2000 10:29:38 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id TAA25257 for ; Thu, 10 Aug 2000 19:29:31 +0200 (MET DST) Date: Thu, 10 Aug 2000 19:29:31 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: freebsd-security@FreeBSD.ORG Subject: suidperl exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just came over the suidperl + mail vulnerability in Linux, and I was wondering whether it would work in FreeBSD. (See http://www.securityfocus.com/bid/1547 for reference) When I tried the exploit, no effect could be observed. However, significant part of the exploit lies in the undocumented feature of /bin/mail program - interactive behavior and interpretation of ~! sequences, even for stdin not a tty, when the "interactive" environment variable is set. The second part of the exploit is in the fact, that, when the suid script dev+inode# identification changes, suidperl reports it to root by emailing in a very insecure manner - executing bin/mail in exactly the same environment as user provided for running suidperl - and passing the "interactive" variable. On FreeBSD, I've not observed the reporting email even after a fair amount of time devoted to cause the race-condition. Either because I've not succeeded in causing it, or because suidperl avoids reporting the issue. I've not found any security advisory regarding this - can anybody comment on this? Has there be a silent fix to this? Thanks Vlada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message