From owner-freebsd-security Thu Aug 10 11:19:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from link.mirror.org (link.mirror.org [216.38.7.35]) by hub.freebsd.org (Postfix) with ESMTP id 15C3B37B734 for ; Thu, 10 Aug 2000 11:19:38 -0700 (PDT) (envelope-from sgt@netcom.no) Received: from hal (34-d10-1.svg1.netcom.no [212.45.182.227]) by link.mirror.org (8.7.5/8.7.3) with ESMTP id OAA14923 for ; Thu, 10 Aug 2000 14:19:28 -0400 Date: Thu, 10 Aug 2000 20:19:44 +0200 (CEST) From: Torbjorn Kristoffersen X-Sender: sgt@hal.netforce.no To: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Vladimir If you type 'strings /usr/bin/suidperl | grep bin/mail' you'll get /bin/mail root Since /bin/mail is hardcoded into suidperl, and FreeBSD has its 'mail' program in /usr/bin instead, you couldn't observe an effect. I don't think there'll be a patch to this problem. Everyone should instead download the recent version. -- Torbjorn Kristoffersen sgt@netcom.no Digiweb Norway A/S On Thu, 10 Aug 2000, Vladimir Mencl, MK, susSED wrote: > > > I just came over the suidperl + mail vulnerability in Linux, and I was > wondering whether it would work in FreeBSD. > > (See http://www.securityfocus.com/bid/1547 for reference) > > When I tried the exploit, no effect could be observed. However, > significant part of the exploit lies in the undocumented feature of > /bin/mail program - interactive behavior and interpretation of ~! > sequences, even for stdin not a tty, when the "interactive" environment > variable is set. > > The second part of the exploit is in the fact, that, when the suid > script dev+inode# identification changes, suidperl reports it to root by > emailing in a very insecure manner - executing bin/mail in exactly the > same environment as user provided for running suidperl - and passing the > "interactive" variable. > > On FreeBSD, I've not observed the reporting email even after a fair > amount of time devoted to cause the race-condition. > > > Either because I've not succeeded in causing it, or because suidperl > avoids reporting the issue. > > > I've not found any security advisory regarding this - can anybody > comment on this? Has there be a silent fix to this? > > > > Thanks > > Vlada > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message