Date: Thu, 10 Aug 2000 20:19:44 +0200 (CEST) From: Torbjorn Kristoffersen <sgt@netcom.no> To: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit Message-ID: <Pine.BSF.4.21.0008102014330.1705-100000@hal.netforce.no> In-Reply-To: <Pine.GSO.4.10.10008101904060.733-100000@nenya.ms.mff.cuni.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Vladimir If you type 'strings /usr/bin/suidperl | grep bin/mail' you'll get /bin/mail root Since /bin/mail is hardcoded into suidperl, and FreeBSD has its 'mail' program in /usr/bin instead, you couldn't observe an effect. I don't think there'll be a patch to this problem. Everyone should instead download the recent version. -- Torbjorn Kristoffersen sgt@netcom.no Digiweb Norway A/S On Thu, 10 Aug 2000, Vladimir Mencl, MK, susSED wrote: > > > I just came over the suidperl + mail vulnerability in Linux, and I was > wondering whether it would work in FreeBSD. > > (See http://www.securityfocus.com/bid/1547 for reference) > > When I tried the exploit, no effect could be observed. However, > significant part of the exploit lies in the undocumented feature of > /bin/mail program - interactive behavior and interpretation of ~! > sequences, even for stdin not a tty, when the "interactive" environment > variable is set. > > The second part of the exploit is in the fact, that, when the suid > script dev+inode# identification changes, suidperl reports it to root by > emailing in a very insecure manner - executing bin/mail in exactly the > same environment as user provided for running suidperl - and passing the > "interactive" variable. > > On FreeBSD, I've not observed the reporting email even after a fair > amount of time devoted to cause the race-condition. > > > Either because I've not succeeded in causing it, or because suidperl > avoids reporting the issue. > > > I've not found any security advisory regarding this - can anybody > comment on this? Has there be a silent fix to this? > > > > Thanks > > Vlada > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008102014330.1705-100000>