Date: Fri, 15 Jan 1999 13:54:56 +0100 (CET) From: Zahemszky Gabor <zgabor@CoDe.hu> To: freebsd-security@FreeBSD.ORG Subject: Secuity hole with perl (suidperl) and nosuid mounts on Linux (fwd) Message-ID: <199901151254.NAA00746@CoDe.hu>
next in thread | raw e-mail | index | archive | help
I've got it today from bugtraq. Most of it is documented on my 2.2.7's
mount(8) manpage, but ...
Bye, Gabor
ZGabor at CoDe dot HU
----- Forwarded message from Brian McCauley -----
>From owner-bugtraq@NETSPACE.ORG Fri Jan 15 12:36:03 1999
Approved-By: aleph1@UNDERGROUND.ORG
Refernences: <u9zp7n2gg6.fsf@wcl-l.bham.ac.uk>
X-Newsreader: Gnus v5.5/Emacs 20.2
Lines: 34
Posted-To: comp.os.linux.misc,comp.os.linux.development.system,comp.lang.perl.misc
Message-ID: <u9ogo1u47c.fsf@wcl-l.bham.ac.uk>
Date: Thu, 14 Jan 1999 17:58:15 +0000
Reply-To: Brian McCauley <B.A.McCauley@BHAM.AC.UK>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Brian McCauley <B.A.McCauley@BHAM.AC.UK>
Organization: University of Birmingham
Subject: Secuity hole with perl (suidperl) and nosuid mounts on Linux
X-To: perlbug@perl.com, security-audit@ferret.lmh.ox.ac.uk,
submission@rootshell.com
To: BUGTRAQ@NETSPACE.ORG
The following message is a courtesy copy of an article
that has been posted to comp.os.linux.misc,comp.os.linux.development.system,comp.lang.perl.misc as well.
The suid script emulation in Perl 5.0004_4 (as found in SuSE Linux 5.3
and doubtless other Linux distributions) fails to take account of the
nosuid mount option on filesystems.
This means that it is trivial for a resourceful user to hide a setuid
perl script on a CD or floppy and then use it to become root. Many
systems are (even by default) configured to allow users mount floppys
and CDs nosuid.
The most obvious fix to Perl for this would be (where available) to
use fstatvfs() (as defined in SUSv2) to determine if the script is on
a filesystem that is mounted with the nosuid option.
Unfortunately fstatvfs() is not implemented in Linux (as of 2.2pre1).
It would not be difficult to add the new system call. Indeed the
existing fstatfs() implementation could simply be modified to
implement fstatvfs() semantics and both syscalls could then point to
the same code.
This vulerability will exist in all Unicies that use a user-space
implementation of suid-scripts and impelment a nosuid mount option in
such a way that it does not modify the values returned by fstat().
It is worth noting that that other suid-aware script-interpreters will
probalby also display this vulnerability on Linux because of the
absense of fstatvfs().
--
\\ ( ) No male bovine | Email: B.A.McCauley@bham.ac.uk
. _\\__[oo faeces from | Phones: +44 121 471 3789 (home)
.__/ \\ /\@ /~) /~[ /\/[ | +44 121 627 2173 (voice) 2175 (fax)
. l___\\ /~~) /~~[ / [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
# ll l\\ ~~~~ ~ ~ ~ ~ | http://www.wcl.bham.ac.uk/~bam/
###LL LL\\ (Brian McCauley) |
----- End of forwarded message from Brian McCauley -----
--
#!/bin/ksh
Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901151254.NAA00746>