develooper Front page | perl.perl5.porters | Postings from March 2000

Potential setuid security hole

Thread Next
From:
thospel
Date:
March 29, 2000 20:01
Subject:
Potential setuid security hole
Message ID:
8bujia$5nt$1@post.home.lunix
Consider:
 - a setuid script without -T in the arguments puts . in @INC
 - eval { require something; } is a standard coding technique.

So all you have to do to execute any code as the setuid user is find 
a program path where it will check for an option that is in fact not installed
on your system. Make sure that you have a file something.pm with your code
in your current directory and you're home free.

Other ways of having the system fail to read the installed system modules 
should also work (run the system out of memory at the critical moments ?)

I couldn't directly find a trivial exploit with the standard distribution,
since I tend to have everything compiled in, and all my requires in fact
work.

A few good candidates: 
 - lib::AnyDBM_File is a direct hit if you don't have NDBM_File
 - Sys::Hostname is fun if you can get it to go for syscall.ph (half the
   world never ran h2ph). (Un)fortunately we now have the Hostname XS module
   which tends to succeed.
 - CPAN has a lot of nice feature tests. But who puts CPAN in a setuid
   root program ?

Solution:
 - No . in @INC in a setuid script.
(or make the . tainted, but that's too ugly)

-- 
Security moves forward one hack at a time

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About